Data protection in Sweden: overview
A Q&A guide to data protection in Sweden.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.
This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.
The collection and use of personal data is regulated by the Personal Data Act (Personuppgiftslag (1998:204)) (PDA). The PDA is the most important legal instrument on data protection and applies to automatic processing of personal data and, in certain cases, manual processing of personal data on traditional paper-based files. The PDA applies to both the public and private sector, and contains provisions to protect individuals' privacy from being violated by the processing of personal data.
The PDA implements Directive 95/46/EC on data protection. The PDA is supplemented by a Personal Data Ordinance and the Data Inspection Board's (see box, The regulatory authority) own statute book (Statute Book). To the extent specific legislation deviates from the PDA, it has priority and applies instead of the PDA. This guide will mainly focus on the PDA.
In addition to the PDA, there are various sectoral laws, mainly the:
Debt Recovery Act (Inkassolagen (1974:182)). The Act stipulates that anyone who collects debts on behalf of another, or who has purchased debts for collection, with a few exceptions, must have a permit from the Data Inspection Board.
Credit Information Act (Kreditupplysningslagen (1973:1173)). The primary purpose of the Act is to protect individuals' privacy with respect to credit information. The Act stipulates that credit information concerning an individual can only be disclosed if there is a legitimate reason for disclosure.
Electronic Communications Act (Lagen (2003:389) om elektronisk kommunikation). The Act contains certain privacy rules concerning the processing of personal data in connection with the provision of electronic communications networks and electronic communications services. The Act implements Directive 2002/58/EC on the protection of privacy in the electronic communications sector (Privacy and Electronic Communications Directive).
Patients' Personal Data Act (Patientdatalag (2008:355)). The Act provides coherent regulation of the processing of personal data in the healthcare sector. The purpose of the legislation is to ensure increased patient security and protection of patients' privacy.
The Camera Surveillance Act (Kameraövervakningslag (2013:460)). The Act applies to video surveillance of public areas.
The Marketing Act (Marknadsföringslag (SFS 2008:486)). The Act applies to marketing activities by legal entities, including unsolicited electronic commercial communications (for example, spam).
Scope of legislation
The PDA applies to all types of personal data, that is, data that is directly or indirectly (that is, used in conjunction with other data) referable to an existing natural person. For example, an Internet Protocol address (IP address) is deemed as personal data, as long as the IP address in conjunction with additional information (such as an internet provider's billing information) can identify the individual using the IP address.
The PDA is technology-neutral and applies to the processing of personal data that is wholly or partly performed with the aid of computers or similar equipment that is capable of automatically processing personal data. The PDA also applies to manual registers or filing systems if the personal data is included or is intended to be included in a structured collection making the personal data available for searching or compilation according to specific criteria.
The PDA does not apply to personal data that an individual collects and maintains in an activity of a purely private nature. For example, an individual can maintain an electronic diary or a register with the addresses of friends and relatives without being subject to the PDA.
The PDA applies to any operation taken in relation to personal data. The following are examples of operations that constitute processing of personal data:
Disclosure by transfer or dissemination of personal information.
Compilations or joint processing.
Blocking, erasure or destruction.
Personal data in structured material can only be collected for specific, explicitly stated and legitimate purposes. Personal data cannot be reprocessed for any purpose that is incompatible with the original purpose, meaning that data collected for a particular purpose cannot be processed later for a different purpose or in a different manner unless new legal grounds have been established.
The application of the PDA does not require that the information processed be structured in a specific way or be processed by any particular method, therefore all computerised work and text processing, or similar processing of running text, containing personal data, would be subject to the PDA. This broad application of the PDA was generally considered too restrictive and bureaucratic. Therefore in 2007, Sweden amended the PDA to include simplified rules that apply to the processing of personal data in unstructured material to facilitate such processing of personal data that generally would not entail a violation of personal privacy. Unstructured material can, for example, constitute running texts published on the internet, sounds, images and e-mail messages.
According to the simplified rules, the majority of the PDA's provisions do not apply when processing personal data in unstructured material. For example, the data controller is not required to comply with the fundamental requirements of the PDA nor fulfil the general information requirements (see Question 12).
The simplified rules constitute "abuse rules", meaning that the exemptions when processing personal data in unstructured material only apply if the privacy of the data subject is not violated.
If the data controller violates the privacy of the data subject when processing data in unstructured material, then the PDA will apply in its entirety.
The PDA does not apply if equipment is used only to transfer information between two countries that are both located outside the EU/EEA.
The main rule under the PDA is that personal data can only be processed if the data subject has given his consent to the processing (see Question 9). However, there are exemptions to this rule, for example, processing of personal data is permitted if the processing is necessary to:
Enable the performance of a contract with the data subject, or to enable measures that the data subject has requested to be taken before a contract is entered into.
Enable the data controller to comply with a legal obligation.
Protect the data subject's vital interests.
Perform a work task of public interest.
Enable the data controller, or a third party to whom the personal data is provided, to perform a work task in conjunction with the exercise of official authority.
Satisfy a purpose that concerns a legitimate interest of the data controller, or of a third party to whom personal data is provided, if this interest outweighs the data subject's interest of protection of personal privacy.
Further, under Swedish law, public authorities have a duty to disclose public documents on request (unless secrecy applies), and also to archive and save public documents without alterations. The provisions of the PDA cannot be applied to limit the principle of access to official documents. In addition, the provisions concerning freedom of the press and freedom of expression in the Freedom of the Press Act (Tryckfrihetsförordningen (1949:105)) and Fundamental Law on the Freedom of Expression Act (Yttrandefrihetsgrundlagen (1991:1469)) also prevail over the provisions of the PDA. The PDA also includes exemptions for the processing of personal data that is only related to journalistic work, or artistic or literary creations.
The general rule is that all processing of personal data that is completely or partially automated is subject to a notification duty under the PDA. Therefore, the data controller must provide a written notification to the Data Inspection Board before any processing is conducted.
Notification is not required if the data controller has appointed a data protection officer by giving notice to the Data Inspection Board identifying the data protection officer. A data controller must keep the Data Inspection Board informed of all changes by notifying it of any new appointment or removal of a data protection officer. The data protection officer is responsible for independently ensuring that the data controller processes personal data in a lawful and correct manner and in accordance with good practice (see Question 5). The data protection officer must identify any inadequacies to the data controller and maintain a register of the processing that the data controller conducts, and which would have been subject to notification to the Data Inspection Board if the data protection officer had not been appointed.
In addition, the Data Inspection Board has in the Statute Book granted exemptions from the duty of notification in certain cases, and for certain kinds of processing that are not likely to result in an improper intrusion of privacy, for example if the data controller has received the data subject’s consent or in case the processing is conducted by a non-profit organisation.
Main data protection rules and principles
Main obligations and processing requirements
The data controller must ensure that the processing of personal data is at all times in accordance with the PDA's fundamental requirements that personal data is:
Processed only if it is lawful.
Always processed in a correct manner and in accordance with good practice.
Only collected for specific, explicitly stated and justified purposes.
Not processed for any purpose that is incompatible with the purpose for which the information was collected.
Adequate and relevant for the purposes of the processing.
Not excessive. Only the required sets of personal data may be processed and these must correspond with the purposes of the processing.
Correct, and, if necessary, up-to-date.
Rectified, corrected, blocked or erased by all reasonable means, if incorrect or incomplete with regard to the purpose of the processing.
Not kept for a longer period than necessary with regard to the purpose of the processing.
Generally, the PDA states that personal data can only be processed if the data subject has given his consent to the processing (see Question 6).
Under the PDA, consent means every kind of active, voluntary, specific and unambiguous expression of will by which the data subject, after the receipt of information, accepts the processing of personal data concerning him. Consent must always be voluntary, but can be either verbal or written. The burden of proof is on the data controller to show that consent has been given to the particular processing. It is therefore recommended that written confirmation be obtained by the data controller.
The data subject must receive all information necessary to enable him to assess how the collected personal data will be used and the advantages and disadvantages of the processing, so that he can exercise his rights under the PDA. The consent must be specific to a particular processing performed by a particular data controller for a particular purpose. Therefore, it is not possible to obtain general consent.
Generally, online consent is sufficient provided it complies with the above regulations. However, it is preferable to use an opt-in mechanism (for example, the individual could tick an "I Agree" checkbox) when seeking consent, as it is uncertain if an "opt-out" mechanism with a pre-ticked checkbox qualifies as an active, voluntary and unambiguous action.
Implied or inferred consent
As it is required that consent is a specific and unambiguous expression of will, an implied or inferred consent will only be valid if there is no doubt that the data subject accepts the processing of its personal data. The burden of proof is with the data controller, to show that consent has been given to the particular act of processing, which may be difficult to prove if based on implied or inferred consent.
Consent by minors
The PDA does not include any special rules relating to consent by minors. Any individual, including a minor, able to comprehend the implications of consent to the processing of personal data is entitled to give this consent. The Data Inspection Board has stated that a 15-year old is generally able to consent to processing of his personal data, unless other regulations prevent processing of minor's personal data. An assessment must therefore be made on a case-by-case basis. Depending on the age, the type of data and the purpose of the processing, it may be appropriate to obtain the consent of both the minor and the minor's legal guardian.
See Question 6.
The PDA stipulates special rules for personal data relating to sensitive personal data, personal identity numbers and criminal records.
Sensitive personal data. The processing of sensitive personal data is generally prohibited. The PDA defines sensitive personal data as data that reveals:
Race or ethnic origin.
Health and sex life.
Religious or philosophical beliefs.
Membership of a trade union.
However, there are several exemptions. Sensitive personal data may be processed if the data subject has given his explicit consent to the processing, or if the processing is necessary:
For the data controller to be able to fulfil obligations or exercise rights under employment law.
For the protection of the data subject's or someone else's vital interests and the data subject is unable to give his consent.
To establish, exercise or defend legal claims.
Sensitive personal data may be processed for healthcare purposes, if necessary for preventative healthcare, medical diagnoses, treatment or care, or administration of healthcare. With the approval of the Ethical Review Board, sensitive personal data can as a general rule also be processed for research and statistics purposes.
Personal identity numbers. In Sweden, each individual is assigned a personal identity number at birth. Personal identity numbers can be processed without consent only when manifestly justified, with regard to the purpose of the processing, the importance of definitive identification, or for some other substantial reason.
Criminal records. It is generally prohibited for any person or party other than public authorities to process personal data concerning violations of laws involving crimes and judgments in criminal cases, coercive penal procedural and similar measures.
The government or the Data Inspection Board can issue exemptions from the prohibition on processing sensitive personal data and personal data concerning criminal records where such exemptions are necessary for public interest.
Rights of individuals
The general rule is that a data controller must voluntarily provide information to a data subject at the point of collecting personal data. This information includes:
The name, address, telephone number, company registration number and e-mail address (to the extent applicable) of the data controller.
Information concerning the purpose of the processing.
Any other information necessary for the data subject to be able to exercise his rights in connection with the processing.
This means that the information provided by the data controller must include information about the recipients of the information, and that the data subject is entitled to request information from the data controller concerning the processing and that the data controller is obliged to rectify any information about the data subject that has been erroneously processed.
There are exceptions to a data subject's right to receive information. Information does not need to be provided in relation to matters of which the data subject is already aware. Where the personal data is collected from a third party and not from the data subject himself, it is not necessary to provide information to the data subject if:
It is impossible.
It would involve a disproportionate effort.
The obligation to provide information can also be limited by legislation. For example, secrecy and confidentiality in health and hospital care may apply to a patient with regard to the purpose of the care or treatment. In these circumstances, there is no obligation to provide information to the data subject.
Right to information
Upon a data subject's request, the data controller must provide information on whether personal data concerning the data subject is being processed or not. If personal data is processed, written information must also be provided on:
The type of information being processed.
The source of the data.
The purpose of the processing.
To which recipients or groups of recipients the data is disclosed.
The data controller must submit the information to the data subject free of charge within one month of the request. The duty to provide information at the request of the data subject is limited to one occasion per calendar year.
Right to prevent further processing
A data subject is entitled to withdraw his consent to the processing of personal data at any time. No further processing of the data subject's personal data may be conducted after such a withdrawal. The data subject is however not entitled to oppose processing of personal data that is permitted under the PDA without his consent.
Right to object to direct marketing
The data subject can at any time object to the processing of personal data for the purpose of direct marketing by notifying the controller in writing that he opposes the processing. After the data subject's notification, no subsequent processing of the data subject's personal data for the purpose of direct marketing can be conducted by the data controller.
Upon a data subject's request, the data controller must immediately rectify, block or erase personal data that has not been processed lawfully (including erroneous data). The data controller must also notify any third party to whom personal data has been disclosed of the measures taken if requested to do so by the data subject, or if such notification would prevent substantial damage or inconvenience to the data subject. However, such notification is not needed if it proves impossible or would involve a disproportionate effort.
The rules concerning secrecy and confidentiality (see Question 12) also apply when information is requested by the data subject himself.
The data controller must implement technical and organisational measures to attain a suitable level of security to protect the personal data. When assessing the suitable level of security needed, consideration must be given to:
The technical possibilities available.
What it would cost to implement the measures.
The special risks that exist with processing of the personal data.
How sensitive the processed personal data is.
The Data Inspection Board has issued non-binding guidelines concerning the security required in the PDA as well as practical advice on designing secure IT-systems to honour data privacy (that is, privacy by design guidelines).
The Data Inspection Board strictly enforces security matters and can, to a reasonable extent, provide advice on security matters to a data controller. The Data Inspection Board can also decide on measures for a data controller to implement to satisfy the Data Inspection Board's security requirements. If the data controller fails to comply with such security measures, the Data Inspection Board can prescribe a default fine.
There is generally no obligation under the PDA requiring data controllers to notify security breaches to the Data Inspection Board or to the data subject. However, there is one exception: if a data protection officer (DPO) has been appointed and identifies a breach of the PDA, the DPO must raise the breach with the data controller. If the data controller does not rectify the breach as soon as practicable upon being notified, the DPO must then notify the breach to the Data Inspection Board.
There are no requirements for the DPO to notify the data subject if there is a breach of the PDA, but it could be argued that in certain cases, and to mitigate a loss for the data subject, the data subject should be informed of the breach.
Processing by third parties
If the data controller engages a third party to conduct the processing of personal data on behalf of the data controller (data processor), there must be a written contract between the data controller and the data processor:
Stipulating that the data processor may only process personal data in accordance with the data controller's instructions.
Specifically regulating the security aspects of the processing of personal data.
It is always the data controller who is accountable in relation to the data subject, even if the data controller has engaged a data processor. Therefore, it is the data controller that bears the legal responsibility that the data processor actually implements the necessary security measures.
Under the Electronic Communications Act, the general rule is that visitors must actively consent to cookies being used. It is also stipulated that in order to store a cookie on a data subject's terminal, the data controller must inform the data subject:
What the cookie is used for.
Where the cookie originates from.
How long the cookie is stored.
How the cookie can be avoided.
Cookies that are necessary for the provided service to function (for example, cookies relating to shopping baskets and authentication) are exempted from the general rule.
The supervisory authority for the Electronic Communications Act, the Post and Telecom Authority (Post-och telestyrelsen) has provided further guidance on the information that must be given when storing cookies on a data subject’s terminal. The data subject shall be informed of:
What the various cookies are called.
Which domain name they belong to.
What data is stored in the cookies.
How long the cookies are saved in the visitor's web browser.
The purpose of the cookies.
Whether the information comes from or is released to a third party.
The legal requirements regarding when and how consent will be made is currently unclear, as the Post and Telecom Agency has, to date, not imposed any sanctions on data controllers not complying with the rules. Instead, the industry is encouraged to come up with practical solutions on how to ensure that the rules are complied with, since there is no single technical solution that applies to all situations. It is the responsibility of each website manager to implement an appropriate solution for the website and its users.
Sweden has implemented "anti-spam" rules, based on the Privacy and Electronic Communications Directive. The main rule is that advertising to a natural person using electronic mail or other automatic systems is permitted only if the individual has given his prior consent. However, no prior consent is necessary if the natural person's e-mail address has been obtained in connection with the sale of a product, provided the following conditions are met:
The person has not objected to the use of the e-mail address for marketing purposes.
The marketing pertains to the sender's own products or similar products.
The person must be given the opportunity to opt out, free of charge and in an easy manner, when the information is collected, and in conjunction with each subsequent marketing communication.
The marketing must always contain a valid address to which the recipient can send a request to opt out of the marketing.
International transfer of data
Transfer of data outside the jurisdiction
Generally, it is prohibited to transfer personal data that is being processed to a country outside the EU/EEA that does not have an adequate level of protection for personal data, unless the data subject has explicitly consented to the transfer. When assessing the level of protection afforded by a country outside of the EU/EEA, all circumstances surrounding the transfer are considered. However, particular consideration must be given to the:
Nature of the data.
Purpose of the processing.
Duration of the processing.
Country of origin.
Country of final destination.
Rules that exist for the processing in the third country.
Whether the level of protection in a particular country is adequate must be assessed on a case-by-case basis.
However, a transfer of personal data to a country outside the EU/EEA is permitted without the data subject's consent if the transfer is necessary for the:
Performance of a contract between the data controller and the data subject, or measures that the data subject has requested to be taken before a contract is made.
Conclusion or performance of a contract between the data controller and a third party, which is in the data subject's interest.
Establishment, exercise or defence of legal claims.
Protection of vital interests of the data subject.
It is also permitted to transfer personal data for use in a state that is party to the Strasbourg Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 1981 (Strasbourg Data Processing Convention), provided the personal data is used only in that particular state.
For automated processing, the government can issue regulations permitting the transfer of personal data to a country outside the EU/EEA if the transfer is regulated by an agreement with sufficient guarantees of the rights of the data subject (see Questions 22 to 23). In addition, the government can issue regulations, or decide on individual cases, to permit the transfer of personal data to a country outside the EU/EEA:
Provided it is considered necessary, with regard to vital public interests.
If there are sufficient safeguards to protect the data subject's rights.
A group of companies that has formally adopted binding corporate rules (BCRs) can also freely transfer personal data among their group companies. The BCRs must be pre-approved by the Data Inspection Board. Sweden is not part of the mutual recognition procedures. In addition, transfers of personal data to the US are permitted if the recipient in the US has adopted the Safe Harbor Rules.
Publication of personal data on the internet is normally not considered to entail a transfer of information to all countries that have access to the internet.
There are generally no legal requirements to store specific types of personal data within the territory of Sweden.
Under the Swedish Accounting Act (Bokföringslagen (1999:1078)), there is a legal obligation to store all material containing accounting information within Sweden. However, accounting information does not generally contain personal data.
Data transfer agreements
The government can, in relation to matters of automated processing of personal data, issue regulations permitting the transfer of personal data to a party outside the EU/EEA (see Question 20), provided the transfer is regulated by an agreement that provides sufficient guarantees of the rights of the registered persons.
Sweden has acknowledged the validity of the three standard form clauses approved by the European Commission. The Personal Data Ordinance expressly provides that a transfer of personal data to a country outside the EU/EEA is allowed when the transfer is conditioned by any of the three standard form clauses. However, the transfer must always be in accordance with the general rules concerning the processing of personal data and the specific rules regarding sensitive personal data.
Provided that a data transfer agreement based on the standard form clauses approved by the European Commission is used, there is no duty of notification, or other similar requirements, nor is any approval required from the Data Inspection Board to legitimise a transfer of personal data to a country outside the EU/EEA.
Enforcement and sanctions
The main objective of the Data Inspection Board is to assist and advise data controllers in resolving any unlawful processing of personal data. The Data Inspection Board can decide on measures that a data controller must implement to satisfy the Data Inspection Board's security requirements (see Question 15). However, the Data Inspection Board will normally first request a data controller to remedy any breaches.
The Data Inspection Board can obtain, on request:
Access to personal data processed by a data controller.
Information about and documentation of the processing of personal data.
Information on security of the processing of the personal data.
Access to the premises connected with the processing of personal data.
If the Data Inspection Board concludes that the processing of personal data is unlawful, or is unable to obtain sufficient guarantees that the processing of personal data is lawful, the Data Inspection Board can prohibit a data controller from processing personal data in any manner other than by storing it.
The Data Inspection Board can also, at the County Administrative Court, apply for the erasure of the personal data that has been unlawfully processed.
A data controller is liable to pay damages to a data subject for damage and violation of personal privacy caused by the processing of personal data in contravention of the PDA. Further, a person can, in addition to damages, be subject to a fine or imprisonment of up to two years if he intentionally or by gross negligence:
Discloses untrue data to the data subject or to the Data Inspection Board.
Processes personal data in contravention of the provisions of the PDA.
Processes sensitive personal data or data concerning violations of laws in contravention of the provisions of the PDA.
Transfers personal data to a country outside the EU/EEA in contravention of the provisions of the PDA.
Fails to give notice of personal data processing to the Data Inspection Board.
Normally, the courts impose penalties in the form of fines and damages. Imprisonment sentences are rare and the few imprisonment sentences rendered by Swedish courts have involved additional offences, such as defamation.
Swedish Data Inspection Board (Datainspektionen)
Main areas of responsibility. The Swedish Data Inspection Board is a central government agency. Its task is, among other things, to ensure that the processing of personal data does not violate individuals’ privacy. The Data Inspection Board also assists individuals whose privacy has been violated, and issues regulations and general recommendations, as well as opinions on legislative proposals.
Data Inspection Board
Description. This is the official web site maintained by the Data Inspection Board. The information it contains is up-to-date in Swedish, but may contain outdated information in other languages. For example, the translation of the PDA has not been updated and is therefore currently partly obsolete.
Erica Wiking Häger, Partner
Mannheimer Swartling Advokatbyrå
Professional qualifications. LLM (Uppsala University, 1993 and Harvard Law School 1999). Admitted to the bars of Sweden and New York State.
Areas of practice. Data protection and privacy, compliance programs, outsourcing, drafting and negotiating IT-related contracts.
Publications. Data Protection & Privacy, jurisdictional comparisons, second edition 2014, Sweet & Maxwell
Sixto Rios, Associate
Mannheimer Swartling Advokatbyrå
Professional qualifications. LL.M (Uppsala University, 2014 and University of Minnesota Law School, 2013); B.Sc. (Stockholm University, 2010)
Areas of practice. Data protection and privacy, negotiating and drafting commercial technology contracts and IT-related contracts in particular.
Jenny Bergström, Associate
Mannheimer Swartling Advokatbyrå
Professional qualifications. LL.M (Uppsala University, 2009 and Université Paul Cézanne Aix-Marseille III, 2007); B.Sc. (Karolinska Institute, 2013)
Areas of practice. Regulatory, marketing and distribution issues regarding heavily regulated products such as medicinal products, medical devices, food and cosmetics, including legal issues relating to clinical trials and data protection.