Data protection in Sweden: overview
A Q&A guide to data protection in Sweden
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data Protection Country Q&A tool.
This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.
The collection and use of personal data is regulated by the Swedish Personal Data Act (1998:204) (PDA) (Personuppgiftslag). This implements Directive 95/46/EC on data protection (Data Protection Directive). In addition to the PDA, supplementary regulations are found in the Personal Data Ordinance (1998:1191) (Personuppgiftsförordningen) and the statute book (DIFS) of the Data Protection Authority (DPA) (Datainspektionen). If provisions in other legislation deviate from what is set out in the PDA, those provisions will take priority.
Other than the PDA, various laws govern the use of personal data within the public sector (for example, relating to the activities of law enforcement authorities). There are also several sectoral laws, including:
Patient Data Act (2008:355) (Patientdatalag) and the Pharmacy Data Act (2009:367) (Apoteksdatalag). These regulate the use of personal data in the health care sector.
Marketing Act (2008:486) (Marknadsföringslagen) and the Act on Names and Pictures in Advertising (1978:800) (Lag omnamn ochbild i reklam). These regulate the use of personal data in advertising and marketing activities.
Credit Information Act (1973:1173) (Kreditupplysningslagen) and the Debt Recovery Act (1974:182) (Inkassolagen). These regulate the use of credit information on individuals and debt collector activities, which generally require a permit from the DPA.
Electronic Communications Act (2003:389) (Lag om elektronisk kommunikation). This contains provisions on the processing of personal data of providers of electronic communications networks and services (among other things).
Camera Surveillance Act (2013:460) (Kameraövervakningslag). This applies to camera surveillance in Sweden and processing of image and sound recordings from such surveillance. A permit is generally required for surveillance of public areas.
This article will mainly focus on the provisions of the PDA.
Scope of legislation
The Personal Data Act (PDA) applies to data controllers established in Sweden. A data controller is defined as the person or legal entity who alone or together with others decide the purpose and means of the processing of personal data. The PDA also applies to data controllers established in third countries (non EU/EEA countries) if the equipment used for processing personal data is placed in Sweden, unless the equipment is solely used to transfer data from one third country to another third country. The Data Protection Authority considers a cookie placed on a computer in Sweden equipment used for processing and consequently the PDA can apply to a data controller established in a third country with no other connection to Sweden.
The Personal Data Act (PDA) applies to personal data, which is defined as "any kind of information that directly or indirectly can be linked to a physical living person". This means that any information that alone or together with other data can be used to identify a person falls under the definition. An IP-address is an example of data that can indirectly identify a person and is therefore considered to be personal data.
The PDA makes a distinction between personal data and sensitive personal data. The latter, for which stricter processing rules apply, is defined as personal data:
Revealing race or ethnical origin.
Revealing political views.
Revealing religion or philosophical beliefs.
Revealing union membership.
Concerning health or sex life.
The Personal Data Act (PDA) applies to all processing of personal data that is carried out wholly or partly by automatic means. Processing refers to all kinds of actions or measures taken with personal data such as collecting, storing, processing, changing and deleting personal data. The PDA also applies to processing of personal data that is not wholly or partly automatic, if the data is intended to form part of a structured collection of personal data in which it is possible to search or compile the personal data according to specific criteria (for example, paper based registers).
See Question 2.
The Personal Data Act (PDA) does not apply to processing of personal data that a physical person carries out for strictly private purposes. In the case of unstructured materials, such as text in e-mails, text on web pages or sound and image recordings many of the PDA's provisions do not apply. Processing of such personal data is allowed as long as it does not violate a person's personal integrity.
Also, the provisions of the PDA must not be applied to the extent that they would be contrary to the provisions on freedom of press, the right to obtain official documents and freedom of speech found in the Freedom of the Press Act (1949:105) (Tryckfrihetsförordningen) and Freedom of Expression Act (1991:1469) (Yttrandefrihetsgrundlagen).
Before the data controller initiates any processing of personal data, it must notify the Data Protection Authority (DPA) in writing.
If the data controller has appointed a Data Protection Officer (Personuppgiftsombud) and has registered with the DPA, it will be exempt from the requirement to notify the DPA. The data controller will also be exempt if the processing is based on consent from the registered person.
However, the Data Protection Officer must keep a record containing the same information that would otherwise have been notified to the DPA of all personal data processing carried out by the data controller.
Main data protection rules and principles
Main obligations and processing requirements
The data controller is under an obligation to ensure:
Personal data is only processed if it is lawful.
Personal data is always processed in a correct manner and according to good practice.
Personal data is only processed for specific, explicitly stated and legitimate purposes.
Personal data is not processed for any purpose incompatible with the purpose for which the data was collected.
The personal data processed is adequate and relevant for the purpose of the processing.
Not more personal data than necessary for the purpose of the processing is being processed.
The personal data processed is correct and, if necessary, current.
All reasonable measures are taken to correct, block or delete personal data that is incorrect or incomplete in relation to the purpose of the processing.
Personal data is not stored for a longer period of time than necessary for the purpose of the processing.
Consent to the processing of personal data is not required if the processing is necessary:
In order to fulfil an agreement with the registered person or to take measures requested by the registered person prior to entering into an agreement.
For the data controller to fulfil a legal obligation.
For the protection of vital interests of the registered person.
For the performance of a task of public interest.
For the data controller or a third party to which personal data is transferred to carry out a task in the exercise of official authority.
For a purpose concerning a legitimate interest of the data controller or of a third party to which personal data is transferred to, if this legitimate interest outweigh the registered person's interest of protection against violations of his or her personal integrity.
Under the Personal Data Act (PDA) it is generally forbidden to process sensitive personal data. However, there are exemptions (such as the registered person's express consent or if the registered person has clearly made the data public). Processing sensitive personal data may further be allowed if it is:
Necessary for the data controller to fulfil its duties or exercise its rights within the field of employment law.
Necessary for the protection of the registered person's or somebody else's vital interests and the registered person cannot give his or her consent.
Necessary for determining, submitting or defending a legal claim.
In addition to the above, sensitive personal data can be processed for healthcare purposes if necessary for preventive healthcare, medical diagnosis, treatment or healthcare administration.
Non-profit organisations with political, philosophical or religious purposes as well as trade unions can process sensitive personal data regarding its members and other persons who, due to the organisation's purposes, have frequent contacts with it. Any transfers of sensitive personal data to third parties require the express consent of the registered person.
Furthermore, sensitive personal data can be processed for research and statistical purposes. However, such processing may have to be approved by an ethical research board according to the law on ethical review of research involving humans (Lag om etikprövning av forskning som avser människor) (2003:460).
It is generally not allowed for other than public authorities to process personal data concerning criminal convictions, coercive measures or administrative detentions. However, this personal data can be processed for research purposes subject to the approval by an ethical research board as mentioned above.
Swedish personal identification numbers
Swedish personal identification numbers (Personnummer och samordningsnummer) cannot be processed without consent from the registered person. However, processing may be allowed when clearly justified with respect to the purpose of the processing, the importance of positive identification, or any other reason of significance.
Rights of individuals
The data controller must provide the registered person with information on the identity of the data controller, including:
Information on the purpose or purposes of the processing.
Any other information that the registered person needs to exercise his or her rights related to the processing.
The latter includes information on third parties to which the data may be transferred or shared with, the obligations of the data controller to provide information and the registered person's right to request information and have data corrected.
It is important that the information set out above is provided prior to the data being collected, as otherwise consent will be considered invalid. This being said there is no requirement to provide information that the registered person is already aware of. However, it is the data controller who has the burden of proof that valid consent has been obtained.
Right to request information
A natural person has the right to once per calendar year, free of charge, request information from the data controller if it processes any personal data concerning him or her. If personal data is processed the information must include information on:
What data is being processed.
From where the data was obtained or collected.
The purpose or purposes of the processing.
Which third parties or categories of third parties the data is transferred to.
The request for information must be made in writing, be signed by the requesting person and be sent to the data controller. The information must be submitted by the data controller within one month from when the request was made.
Right to rectification
A registered person has the right to request that the data controller promptly rectify, block or delete personal data that has not been processed in accordance with the Personal Data Act (PDA) or any other regulations based on the PDA. It is basically the data controller who decides what measure to take, that is, whether to rectify, block or delete data that is found to have been processed in contravention of the PDA. In such a case, the data controller must also notify any third parties, to which the data has been transferred, of the measures taken if so requested by the registered person or if more significant damage or inconvenience to the registered person could be avoided through such notification. If it should prove impossible or involve an unproportioned effort such notification does not have to be made.
Right to re-examination
In case a decision based on automatic processing of personal data for the purposes of determining personal characteristics (profiling) has legal implications or otherwise noticeable effects to a natural person, the natural person has a right to request a re-examination of the decision by a person in a position to change the automatically created decision. In addition, any person subject to such a decision has the right to request and receive information from the data controller on the technical process that has led to the decision.
Data subjects have the right to request deletion of their data only to the extent that the data has been processed contrary to the provisions of the Personal Data Act (see Question 13, Right to rectification).
Under the Personal Data Act, the data controller is responsible for taking appropriate technical and organisational measures to protect the processed personal data. The measures must provide an appropriate security level based on:
The technical possibilities available.
The costs of the intended measures.
The specific risks linked to the processing of the personal data.
How sensitive the processed personal data is.
In assessing the risks of the processing, the Data Protection Authority has outlined that the outcome depends on (among other things):
The number of registered persons.
The amount of data on each person.
The level of sensitivity of the processed personal data.
There is currently no legal requirement under the Personal Data Act to inform registered persons or the Data Protection Authority in case of a data breach or loss of data for any other reason. However, according to the law on electronic communication providers of electronic communication services are under an obligation to promptly notify the Swedish Post and Telecom Authority (PTS) (Post- och telestyrelsen) of any integrity incidents. If such incidents are expected to have a negative impact on the customers or users of the service that the processed data concerns, or if PTS so requests, the customers or users must also be promptly notified.
Processing by third parties
Under the Personal Data Act (PDA) a third party processing personal data on behalf of the data controller, that is, a data processor (Personuppgiftsbiträde), must only process personal data according to the instructions of the data controller. Furthermore it is required that the data controller and the data processor enter into a data processing agreement.
According to the Data Protection Authority, a data processing agreement should state that the data processor:
Can only process data according to the instructions of the data controller (thereby assuring that the data processor does not process the data for any other than the specified purposes).
Must take appropriate security measures.
In addition, a data processing agreement should include provisions that ensure that:
The data processor will apply the Swedish legislation to the processing of personal data.
The data controller has knowledge of any other/sub-data processors that may process the data.
The data controller is able to control that the data processor fulfils the requirements of the data processing agreement and the data controller's instructions, including taking the appropriate security measures.
There are technical and practical possibilities to investigate suspicions that somebody has had unauthorised access to the personal data.
The parties are aware what measures will be taken at the expiry of the agreement in order for the data processor not to have access to the personal data thereafter.
Under the Personal Data Act, personal data cannot be processed for direct marketing purposes if the registered person has notified the data controller in writing, including e-mail, that he or she opposes such processing. Further regulations regarding marketing are provided in the Marketing Act, which implements part of Directive 2002/58/EC on the protection of privacy in the electronic communications sector (E-Privacy Directive). According to the Marketing Act, marketing to natural persons cannot be sent by e-mail, text messages or otherwise by any automatic means unless the recipient has opted-in by giving his or her consent to receiving such marketing beforehand.
If, however, the e-mail address of the recipient has been obtained in connection with selling a product to the person, the consent requirements do not apply insofar as:
The recipient has not opposed the use of the e-mail address for marketing purposes.
The marketing concerns the marketer's own similar products.
The recipient is given a clear possibility to, free of charge, oppose the use of the e-mail address for marketing purposes when the e-mail address is collected as well as in connection with every subsequent marketing message.
Marketing via e-mail must always (including in cases of marketing business to businesses) contain a valid address of the marketer via which the recipient can have the possibility of requesting the marketing to cease.
In relation to marketing activities via telephone, no distinction is made between landline and mobile phones and Sweden has chosen an opt-out legislative solution. Telephone calls to individuals for marketing purposes are therefore allowed if the individual has not clearly declared in advance that he or she does not wish to be contacted. Individuals not wishing to receive marketing calls can register in the NIX-Telefon register.
International transfer of data
Transfer of data outside the jurisdiction
Generally under the Personal Data Act, personal data can be transferred to and otherwise processed in other EU/EEA states. Personal data can also, for the sole use in that state, be transferred to signatory states of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data 1981 (CETS 108).
The transfer of personal data to third countries (that is, non-EU/EEA states) is prohibited unless the third country in question has an adequate level of protection for personal data. In assessing whether the level of protection is adequate, all circumstances related to the transfer of personal data must be considered. Circumstances that must be given special consideration when carrying out this assessment are the:
Nature of the data.
Purpose or purposes of the processing.
Duration of the processing.
Country of origin, the country of destination and the regulations on the processing of personal data in the third country.
The states that the Commission has deemed to have an adequate level of protection are stated in Appendix 1 to the Personal Data Ordinance. On 12 July 2016 the Commission adopted an adequacy decision regarding the protection provided by the EU-US Privacy Shield framework. Transfers of personal data to US companies certified with the US Department of Commerce under the Privacy Shield framework are therefore considered to have an adequate level of protection.
Transfers of personal data to third countries may also be based on the use of standard contractual clauses adopted by the Commission. These standard contractual clauses are set out in Appendix 2 to the Personal Data Ordinance.
There are several exemptions to the main rule on adequate level of protection for personal data required to transfer personal data to a third country, these are:
Consent from the registered person.
Necessity of transfer in order to fulfil an agreement between the registered person and the data controller or in order to take measures requested by the registered person prior to entering into an agreement.
Necessity of transfer in order for the data controller to fulfil or enter into an agreement with a third party if the agreement is in the interest of the registered person.
Necessity of transfer in order to determine, submit or defend legal claims.
Necessity in order to protect vital interests of the registered person.
Transfer of personal data to group companies in third countries can be based on group internal binding corporate rules (BCRs). The BCRs must be approved by the Data Protection Authority (DPA). It is important to note that Sweden does not participate in the mutual recognition procedure. Consequently, a Swedish group company applying BCR that have been approved by other EU data protection authorities still need to apply to the Swedish DPA and await approval before it can transfer any personal data to group companies in third countries based on the BCR.
Data transfer agreements
There is no need for approval of personal data transfers to third countries based on a Commission decision of adequate level of personal data protection or on the standard contractual clauses adopted by the Commission and referred to in the Personal Data Ordinance.
Third-country transfers of personal data based on binding corporate rules (BCRs) must be approved by the Data Protection Authority (see Question 20). Similarly, if transfers are to be based on other agreements or guarantees for the protection of the personal data of registered persons it is necessary to apply to the Data Protection Authority for exemption from the general prohibition against transfers of personal data to third countries.
Enforcement and sanctions
The Data Protection Authority (DPA) can request:
Access to the personal data that is being processed.
Information and documentation regarding the processing of personal data and the security measures implemented during this processing.
Access to facilities that are linked to the processing of personal data.
The DPA can also prescribe what security measures the data controller should apply in individual cases.
According to the Personal Data Act (PDA), the Data Protection Authority (DPA) must, if it establishes that personal data is being or may be processed in an unlawful manner, primarily, by issuing remarks or taking similar measures, try to have the data controller remedy the situation. If the data controller does not remedy the situation or if the matter is urgent the DPA may prohibit further processing, other than storing, of the personal data and issue statutory fines.
The same applies if, on request, the DPA does not receive sufficient information to assess whether the processing is lawful or if the data controller does not take the security measures prescribed by the DPA. An administrative court can, on request by the DPA, order that personal data that has been processed unlawfully must be destroyed.
The data controller is liable to pay damages to a registered person corresponding to the harm and violation of the personal integrity that the unlawful processing of personal data has caused the registered person.
A natural person may be convicted to pay a fine or to imprisonment of maximum two years in severe cases if he or she intentionally or by gross negligence:
Delivers incorrect information to a registered person when information must be provided according to the PDA.
Delivers incorrect information in a notification to the DPA or when the DPA requests information.
Processes sensitive personal data or personal data regarding criminal convictions in contravention of the provisions of the PDA.
Transfers personal data to third country in contravention of the provisions of the PDA.
Fails to notify the DPA of data processing.
In unstructured material processes sensitive personal data or personal data regarding criminal convictions or transfer personal data to a third country that does not have an adequate level of protection for personal data.
Swedish Data Protection Authority (Datainspektionen) (DPA)
Main areas of responsibility. The DPA's main task is to detect and prevent threats to the personal integrity. Its operations are primarily focused on areas expected to be particularly sensitive from an integrity perspective, new phenomena and applications of technology, as well as areas where the risk of abuse or faulty use can be expected to be particularly large. The DPA is responsible in relation to the Personal Data Act, the Patient Data Act, the Credit Information Act, the Debt Recovery Act and the Camera Surveillance Act.
Swedish Data Protection Authority (DPA)
Description. The official website of the DPA. The information in Swedish is generally up-to-date. It may contain out-of-date information in other languages, for example, the English PDF file on the Personal Data Act was produced in 2006 and should therefore not be relied on (www.datainspektionen.se/in-english/).
Susanna Norelid, Partner
Professional qualifications. Advokat, Sweden
Areas of practice. Corporate and commercial; marketing and advertising; data protection and privacy.
Non-professional qualifications. LLM, University of Lund, 1991; LLM of International Business Law, University of London, 1993
Professional associations/memberships. Member of the Swedish and International Bar Association; ICC Marketing Committee; International Association of Defence Counsels (IADC); Network leader, JUC Network on Personal Data and Privacy.
Emanuel Hollstrand, Associate
Professional qualifications. Associate, Sweden
Areas of practice. Data protection and privacy; marketing and advertising.
Non-professional qualifications. LLM, Stockholm University, 2012