April 2024

1. Governing Texts

Sweden has a long history of safeguarding personal data and was the first country to adopt data protection legislation when the Swedish Data Act (SFS 1973:289) (only available in Swedish here) (the 1973 Data Act) gained legal force in 1973. With the implementation of the 1973 Data Act, the Swedish Data Protection Authority was established with the purpose of e.g., granting the necessary permits for the processing of personal data. During the years following the adoption of the 1973 Data Act, the Swedish data protection legislation has been subject to significant changes, mostly as a result of Sweden being a Member State of the EU. The Swedish data protection regime now consists of laws supplementing the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), as well as the so-called register statutes primarily designed to regulate public authorities' processing of personal data.

While the laws supplementing the GDPR were drafted in connection with the GDPR entering into force, many of the so-called register statutes existed prior to the GDPR. These were simply updated with references to the GDPR, instead of the former Swedish Personal Data Act (SFS 1998:204) (the 1998 Act), which implemented the Data Protection Directive (Directive 95/46/EC). This means that in order to gain a comprehensive understanding of the Swedish data protection regime, it is important to not limit oneself to the data protection legislation but also consult the applicable register statutes.

The Swedish Authority for Privacy Protection (IMY), previously the Swedish Data Protection Authority, is the supervisory authority in matters concerning data protection. IMY's overall task is to safeguard individual privacy in this information age, and, as previously mentioned, has been doing so for the past 50 years.

1.1. Key acts, regulations, directives, bills

In connection with the GDPR entering into force, the 1998 Act was revoked and replaced by the Act with Supplementary Provisions to the GDPR (SFS 2018:218) (only available in Swedish here) (an unofficial English translation of the Act is available here) (the Act). In addition to the Act, the Ordinance with Supplementary Provisions to the GDPR (SFS 2018:219) (only available in Swedish here) (an unofficial English version of the Ordinance is available here) (the Ordinance) was adopted by the Swedish Government (the Government).

The aforementioned legislative act and ordinance serve the purpose of supplementing the GDPR and governing the overall processing of personal data in Sweden. However, other legislative acts target specific data processing activities. For example, the Swedish Camera Surveillance Act (SFS 2018:1200) (only available in Swedish here) contains provisions regarding camera surveillance, the Swedish Patient Data Act (SFS 2008:355) (only available in Swedish here) (the Swedish Patient Data Act) regulates how personal data may be processed within the healthcare sector, and the Swedish Credit Information Act (SFS 1973:1173) (only available in Swedish here) safeguards individuals' privacy in connection with credit information services.

1.2. Guidelines

IMY is responsible for issuing guidelines and legal opinions on data protection matters. Furthermore, IMY is tasked with supervising and inspecting compliance with the GDPR and the Swedish supplementary legislation.

IMY regularly issues guidelines, mainly through articles on its website. For example, IMY has published a checklist that entities can use as a tool to ensure that their processing of personal data is compliant with the GDPR as well as the Swedish supplementary legislation (only available in Swedish here). Moreover, IMY has also made available a Q&A containing frequently asked questions (only available in Swedish here).

IMY can also issue legal opinions (only available in Swedish here). These are indicative for both organizations and the public and are valid until further notice. IMY issues legal opinions where there is no guiding case law or guidance from the European Data Protection Board (EDPB). The legal opinions may be revoked or amended if there is new case law or guidance from the EDPB.

For a more detailed description of IMY's tasks relating to guidelines, see the section on Regulatory Authority below.

1.3. Case law

Since 2018, IMY has made several enforcement decisions under the GDPR. While some decisions have resulted in an obligation to pay administrative fines, others have been limited to warnings and reprimands. For more detailed information regarding IMY's enforcement decisions, see the section on enforcement decisions below.

Enforcement decisions may be appealed to the Swedish administrative courts. While cases from the administrative courts and the courts of appeal do not set precedent, they do guide how the law is applied.

Most of the cases in which IMY is a party are appeals by individuals who have submitted complaints to IMY that have not resulted in an investigation. Only a limited number of cases are appeals of IMY's supervisory decisions. However, most supervisory decisions that include a fine are appealed.

With IMY's increased focus on enforcement and investigations, it can be anticipated that more enforcement decisions will be tried by the administrative courts in the near future. At the time of writing, 66 supervisory decisions by IMY have been appealed (available in Swedish here).

2. Scope of Application

2.1. Personal scope

The Swedish data protection legislation applies as set forth in the GDPR.

2.2. Territorial scope

As stipulated regarding the legal age of consent for children for the processing of their personal data, Chapter 2, Section 4 of the Act shall apply to all children living in Sweden, regardless of where the data controller or data processor is established.

There are no other deviations from the GDPR apart from the aforementioned.

2.3. Material scope

Contrary to what is stated in Article 2 of the GDPR, Chapter 1, Section 2 of the Act extends the scope of the GDPR to apply also to the processing of personal data in cases of:

• an activity which falls outside of the scope of Union law; and

• carrying out activities which fall within the scope of Chapter 2 of Title V of the Treaty on European Union.

However, the GPDR does not apply if the activities are also covered by:

• Act on Processing of Personal Data in the Swedish Armed Forces (SFS 2021:1171) (only available in Swedish here); or

• Act on the Swedish Security Service's Processing of Personal Data (SFS 2019:1182) (only available in Swedish here).

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

IMY is the Swedish supervisory authority responsible for safeguarding the privacy of individuals. Ensuring compliance with the GDPR and Swedish supplementary legislation thus falls within the scope of IMY's tasks.

IMY is an independent public authority governed by a Director General, appointed by each elected Government for every four-year term. However, it is worth noting that the Government, at its discretion, may terminate an appointment pre-maturely, as well as extend an appointment beyond the stipulated four years.

The Director General is obligated to regularly report to IMY's Supervisory Council, which is comprised of nine members, including the Director General (chair), members of parliament, and other individuals with relevant positions and qualifications, such as law professors, representatives of branch and employer associations, and officials from other public authorities.

3.2. Main powers, duties and responsibilities

As stipulated in Section 1 of the Ordinance on Instructions for Swedish Authority for Privacy Protection (SFS 2007:975) (only available in Swedish here), IMY's overarching goals are to 'work to ensure that people's fundamental rights and freedoms are protected in connection with the processing of personal data, to facilitate the free movement of such data within the EU and to work to ensure that good practice is observed in credit rating and debt recovery activities'.

To fulfill the aforementioned goals, IMY is tasked with enforcing and overseeing compliance with the GDPR and Swedish supplementary legislation for the purpose of safeguarding the right to privacy. However, note that IMY is not responsible for overseeing compliance related to the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) (the ePrivacy Directive), which is instead overseen by the Swedish Post and Telecom Authority. IMY is also not able to oversee activities that are protected by the Swedish Freedom of Press Act (SFS 1949:105) (only available in Swedish here) (an unofficial English version of the Press Act is available here) (the Press Act) or the Swedish Fundamental Law on Freedom of Expression (SFS 1991:1469) (only available in Swedish here) (an unofficial English version of the Freedom of Expression Law is available here) (the Freedom of Expression Law), two of the four constitutional Acts, which comprise the Constitution of Sweden.

In order to monitor compliance, IMY is authorized to conduct inspections. These are for the most part carried out by way of written procedures whereby a data controller or data processor is asked to provide information and documentation relating to certain topics and questions. IMY is, however, also authorized to request and gain access to a legal entity's premises in order to conduct on-site inspections. Based on IMY's review of the information gathered during such inspections, IMY announces a decision or order which, depending on the nature of any possible shortcomings, may include various sanctions.

IMY is authorized to impose administrative fines. For less serious misconduct, IMY may also decide to issue warnings, reprimands, or specific orders, stating e.g., that an entity must cease to perform certain data processing activities. The latter may, for the purpose of ensuring compliance, be combined with a conditional fine.

A decision by IMY to initiate an inspection is based on its inspection policy and its biannual inspection plan. In the biannual inspection plan, IMY determines the focus of its inspection efforts during the upcoming two-year period. Thus, the inspection plan is valuable to companies seeking to understand in which direction the Swedish data protection regime will develop within the near future. However, IMY may also, at its own discretion, initiate inspections on the basis of e.g., individual complaints, tip-offs, or reports in the media.

In addition to monitoring compliance and conducting inspections, IMY is authorized to issue statutes regarding data protection. IMY has, inter alia, issued a statute for the processing of personal data concerning violations of law (DIFS 2018:2) (only available in Swedish here) (the IMY Regulations), which focuses on scenarios in which private entities may process personal data connected to criminal offenses and violations of law. A proposal for new regulations concerning the processing of personal data connected to violations of law is under referral (only available in Swedish here).

IMY is also granted authority to give advice on data protection issues, disseminate knowledge, and participate in the development of new soft law instruments (such as guidelines, recommendations, etc.). IMY is also regularly asked to review proposals for new or amended laws as a consulting body, and participates on expert commissions and committees.

Generally, IMY's guidance is heavily inspired by guidance from the EDPB and highlights its key aspects. This is the case with e.g., guidelines for CCTV. From its guidance, it is evident that IMY's intention is to work towards a harmonised interpretation of the GDPR amongst the EU Member States, rather than creating national deviations or differences in interpretation.

Finally, IMY regularly holds trainings and seminars covering various topics within the area of data protection. During such trainings and seminars, IMY may provide guidance and recommendations which are not publicly available on its website. They thus constitute an important tool for IMY in presenting a more nuanced picture than can be accomplished solely by written guidelines.

4. Key Definitions

Data controller: There are no variations from the GDPR (Chapter 1, Section 1 of the Act).

Data processor: There are no variations from the GDPR (Chapter 1, Section 1 of the Act).

Personal data: There are no variations from the GDPR (Chapter 1, Section 1 of the Act).

Sensitive data: There are no variations from the GDPR (Chapter 1, Section 1 of the Act).

Health data: There are no variations from the GDPR (Chapter 1, Section 1 of the Act). Note, however, that data processed by health care providers is specifically regulated by the Swedish Patient Data Act.

Biometric data: There are no variations from the GDPR (Chapter 1, Section 1 of the Act). Note, however, that data processed by health care providers is specifically regulated by the Swedish Patient Data Act.

Pseudonymization: There are no variations from the GDPR (Chapter 1, Section 1 of the Act).

5. Legal Bases

5.1. Consent

There are no variations in Swedish supplementary legislation as regards the consent of adults. For information regarding the consent of children, see further Section on children's data below.

5.2. Contract with the data subject

There are no variations from the GDPR.

5.3. Legal obligations

In Chapter 2, Section 1 of the Act, the Swedish legislator prescribes that processing based on Article 6(1)(c) of the GDPR is allowed only if the processing is necessary for the controller to be able to comply with a legal obligation that follows from an act or other statute, from collective agreements, or from decisions issued pursuant to an act or other statute.

5.4. Interests of the data subject

There are no variations from the GDPR.

5.5. Public interest

Chapter 2, Section 2 of the Act stipulates that the legal basis as set out in Article 6(1)(e) of the GDPR shall provide a possibility for public authorities to lawfully process personal data in their performance of tasks in the public interest or when they exercise public authority. The former constitutes a task that:

• is carried out in the public interest; and

• follows either from an act or statute, from collective bargaining agreements, or from decisions issued by public authorities pursuant to an act or statute.

According to page 190 of the Government Bill Prop. 2017/18:105 (only available in Swedish here) (Government Prop. 2017/18:105), private entities may only rely on this legal basis (if otherwise applicable) when performing a public task or exercising public authority.

5.6. Legitimate interests of the data controller

There are no variations from the GDPR.

5.7. Legal bases in other instances

The Government or IMY, according to Chapter 2, Section 3 of the Act, may issue statutes and, with respect to IMY, announce decisions, to the effect that controllers may process personal data for archiving purposes in the public interest. The definition of archiving in public interest corresponds to the reason given in Recital 158 of the GDPR. A decision rendered by IMY may be subject to further conditions.

6. Principles

There are no variations from the GDPR.

7. Controller and Processor Obligations

7.1. Data processing notification

Dating back to the implementation of the Swedish Data Act in 1973, entities that were processing personal data had an obligation to notify IMY of their personal data processing activities. However, with the implementation of the GDPR, such obligations were removed and entities are no longer required to notify IMY of their personal data processing.

7.2. Data transfers

Although Swedish supplementary law does not prohibit or limit transfers of personal data in general, there are certain limitations on transfers of special categories of personal data. Chapter 3, Section 2 of the Act restricts transfers of special categories of personal data when they are processed for the purpose of enabling a data controller or a data subject to fulfil their obligations and exercise their special rights within labour legislation and in the areas of social security and social protection. The disclosure of special categories of personal data to a third party under these circumstances is only permitted if:

• there is an obligation within labour legislation or in the areas of social security and social protection for the data controller to do so; or

• the data subject has expressed their consent of such disclosure.

Furthermore, the Swedish Criminal Data Act (SFS 2018:1177) (only available in Swedish here) (the Criminal Data Act), which applies to processing of personal data carried out by authorized public authorities for the purpose of preventing, averting or discovering criminal activities, investigating crimes or prosecuting criminals, executing criminal sanctions, and maintaining public order and security, contains specific requirements regarding transfers of personal data. Authorized public authorities may, according to Chapter 8, Section 1 of the Criminal Data Act, with a few exceptions, transfer personal data to a third country or an international organization only if the transfer is:

• necessary to prevent, avert or discover criminal activities, investigate crimes or prosecute criminals, execute criminal sanctions, or maintain public order and security;

• directed to an authorized public authority in a third country or an international organization which is an authorized authority; and

• subject to either an adequacy decision, appropriate safeguards, or a derogation for a specific situation.

Additionally, Chapter 8, Section 2 of the Criminal Data Act stipulates that, as a general rule, a Swedish authority may only transfer personal data received from another EU Member State to a third country or international organization if such EU Member State grants its approval prior to the transfer. However, if a transfer is necessary for the aversion of an immediate and serious threat against public security, or threats against Sweden's or another EU Member State's key interests, such prior approval is not required.

Finally, when transferring personal data subject to the Criminal Data Act to another EU Member State, other conditions may not be imposed than those which may be imposed in relation to a Swedish recipient, unless otherwise explicitly stated in law or regulation (Chapter 2, Section 20 of the Criminal Data Act).

7.3. Data processing records

As stipulated in Article 30 of the GDPR, all data controllers and data processors must maintain a data processing record unless they are subject to the exceptions set forth in Article 30(5) of the GDPR. In addition to the exceptions provided for in the GDPR, under Chapter 1, Section 7 of the Act, the obligation to keep a record of processing activities does not apply to the processing of personal data carried out for journalistic purposes, academic, artistic, or literary creation.

Furthermore, Chapter 1, Section 7 of the Act states that the obligation to maintain a record of processing activities does not apply if such obligation is in conflict with the Press Act or the Freedom of Expression Law. This implies, inter alia, that processing of personal data which is an inherent part of exercising constitutional rights to produce and disseminate opinions, as well as the freedom to acquire and disclose information, are excluded from the scope of the GDPR. These aforementioned national variations are based on the possibility for exemptions or derogations pursuant to Article 85 of the GDPR.

7.4. Data protection impact assessment

Swedish supplementary legislation does not give any account for variations from the GDPR concerning when a Data Protection Impact Assessment (DPIA) is required, apart from the exceptions described below. IMY has, in accordance with Article 35(4) of the GDPR, established a list of activities that require a prior DPIA to be performed. IMY has stated in its DPIA Blacklist that a DPIA shall be carried out if the planned data processing activities meet two or more of the criteria in the list below (with some exceptions):

• evaluation or scoring;

• automated-decision making with legal or similar significant effect;

• systematic monitoring;

• special categories of data or data of a highly personal nature;

• data processed on a large scale;

• matching or combining datasets;

• data concerning vulnerable data subjects;

• innovative use or applying new technological or organizational solutions, e.g., Internet of Things (IoT) applications; and

• when the processing in itself prevents data subjects from exercising a right, using a service or a contract.

In this regard, the EDPB has published the following Opinion for Sweden:

• Opinion 20/2018 on the Draft List of the Competent Supervisory Authority of Sweden regarding the Processing Operations Subject to the Requirement of a Data Protection Impact Assessment (Article 35.4 GDPR)

The criteria listed above may seem familiar to those who are aware of guidelines from the European Data Protection Supervisor (EDPS) concerning when a DPIA is required. This is due to the fact that IMY's list of criteria mirrors the list provided in that guidance. In addition to the aforementioned list of criteria, IMY has published guidance (only available in Swedish here) in the form of questions and examples which aims to assist data controllers in assessing whether or not a specific personal data processing activity requires a prior DPIA to be performed.

IMY has also provided a number of specific examples (only available in Swedish here) of personal data processing activities which entail that a DPIA shall be carried out. The activities are divided into the areas of work life, marketing, processing of special categories of personal data, private sector, public sector, and technology and include, inter alia, the following:

• providing internet-connected products for consumers' homes (smart home products), e.g., in order to be able to control heating, lighting, or audio playback remotely, where such products collect detailed information on how customers use the services;

• businesses that collect personal data, including, inter alia, location data, which arise through the use of smart cars, e.g., in order to develop the technology thereof;

• processing of financial data of natural persons on a large scale in order to be able to disclose such data to other actors for credit information purposes;

• collecting information from social media to profile natural persons and then target marketing to certain selected groups;

• performing background checks prior to recruitment; and

• introducing a common system in which it is possible to report malpractice in the workplace, a so-called whistle-blower system.

IMY has not provided a 'whitelist' in which it exempts certain processing activities from the obligation to carry out a DPIA. IMY has stated that a DPIA is not necessary when processing is not likely to result in a high risk to the rights and freedoms of natural persons and has provided the following two scenarios and subsequent descriptions of processing activities (only available in Swedish here) that probably do not entail such high risk, as follows:

• newsletters; if an online magazine uses a mailing list to send a daily newsletter to its subscribers; and

• e-commerce websites, if an e-commerce website displays ads for used car parts with limited profiling that is based on items displayed or purchased on its own website.

Furthermore, under Chapter 1, Section 7 of the Act, the obligation to carry out a DPIA does not apply to the processing of personal data carried out for journalistic purposes or for academic, artistic, or literary creation. Nor does the obligation to carry out a DPIA apply if such obligation would entail processing of personal data in conflict with the Freedom of the Press Act or the Fundamental Law on Freedom of Expression (see section on data processing records above).

Method

IMY has issued guidance on how to conduct a DPIA (only available in Swedish here) (the How-To Guidance), which provides the four basic requirements for the contents of a DPIA as follows:

• a systematic description of the planned processing and the purpose of the processing;

• an assessment of whether the processing is necessary and proportionate to its purpose;

• an assessment of the risks to the rights and freedoms of the data subjects; and

• the measures planned to manage the risks and to demonstrate compliance with the GDPR.

Additionally, the How-To Guidance details that an organization also has to:

• consult with a data protection officer (DPO), if it has one; and

• obtain the views of the data subjects or their representatives when appropriate.

In addition, the How-To Guidance specifies that a single impact assessment can be used to assess multiple processing activities that are similar in nature, scope, content, purpose, and risk.

Furthermore, IMY has also issued guidance on tasks and responsibilities during a DPIA (only available in Swedish here) as well as a form for prior consultation request (only available in Swedish here).

7.5. Data protection officer appointment

In accordance with Article 37(7) of the GDPR, the appointment of a DPO must be notified to IMY. The information required by IMY is, inter alia, the name and contact information of the data controller and the DPO. IMY provides a form for this purpose on its website (only available in Swedish here). The form can be submitted to IMY via email to [email protected], or mail to Box 8114, 104 20 Stockholm, Sweden. It is worth noting that IMY does not generally provide feedback on or a written confirmation of notifications submitted via email, unless they deem it necessary to reach out to the organization to verify the notification. Thus, to ensure that the registration of a DPO has been carried out, the submitter may need to reach out to IMY to verify this.

Additionally, IMY has issued guidelines on DPO announcement which provide that an organization must inform everyone who works in or for the organization and everyone for whom it has registered personal data of the DPO's name, contact details, and the DPO's tasks.

Although not strictly related to the appointment of a DPO, it is worth noting that a DPO may not improperly disclose what they have become aware of in the exercise of their role. In public authority activities, the Public Access to Information and Secrecy Act (SFS 2009:400) (only available in Swedish here) (the Public Access Act) does nevertheless apply.

Moreover, IMY has issued guidelines on when a DPO should be appointed (only available in Swedish here) in which IMY recommends that organizations appoint a DPO if they perform tasks of general interests, or perform tasks that include the exercise of public authority.

7.6. Data breach notification

There are no variations from the GDPR. A data breach shall be notified to IMY by filling out a form on its website (here).

7.7. Data retention

There are no variations from the GDPR. It should however be noted that requirements for retaining specific types of documents which may contain personal data are present in other acts of legislation. For example, the Swedish Bookkeeping Act (SFS 1999:1078) (only available in Swedish here) stipulates that certain financial information and documents, e.g., invoices, must be retained for seven years. There are also legal requirements to retain information related to employment.

7.8. Children's data

Chapter 2, Section 4 of the Act contains a provision which states that when information society services are offered directly to children living in Sweden, the processing of personal data may be based on a child's consent if the child is 13 years or older. If a child is below 13 years of age, the processing of personal data based on consent is permitted only if consent is given or approved by the person who is the child's legal guardian.

Swedish children over the age of 16 also have a certain legal capacity to enter into agreements. Thus, according to IMY, children over the age of 16 should be able to give consent to processing of their personal data.

For children of ages 13-16, the validity of their consent has to be evaluated on a case-by-case basis. Aspects to take into account during such an evaluation are e.g., the age of the data subject, if the data is assessed as belonging to a special category of personal data, duration of the processing, purpose etc. Further, in order for children to properly understand what the processing of their personal data entails and to allow them to make an informed decision, information about the processing of their personal data must be clear, accessible, and easy to understand from a child's perspective.

7.9. Special categories of personal data

Special categories of personal data

Under Swedish supplementary legislation, there are no variations as regards the definition of special categories of personal data.

According to Chapter 3, Sections 2 and 3 of the Act, the processing of special categories of personal data is permitted when the processing is necessary for a data subject or data controller to exercise rights or obligations within the area of labour law, social protection, or social security. If the data controller is a public authority, special categories of personal data may be processed if:

• it was provided to the authority and the processing is required by law;

• if it is necessary for the processing of a case; or

• if it is necessary in the public interest and does not constitute an improper violation of privacy.

Provisions specific to different sectors may also apply as regards public authorities' processing of special categories of personal data.

Special categories of personal data may only be transferred to a third party once expressed consent is obtained or if there is an obligation within labour law or in the areas of social security and social protection to transfer the data, see further under section on data transfers above.

According to Chapter 3, Section 5 of the Act, special categories of personal data may be processed within the health, medical, and social care systems, if it is necessary for:

• preventive health and medical care measures and occupational medicine;

• assessing the working capacity of an employee;

• medical diagnoses;

• providing health and medical care or treatment;

• social care; or

• managing health and medical or social care systems and services.

However, it is required that the processing is subject to confidentiality.

Special categories of personal data may also be processed for archiving purposes, as required under provisions on archives, or other provisions issued by governmental authorities allowing data controllers to process special categories of personal data of public interest (Chapter 3, Section 6 of the Act). Special categories of personal data may also in some cases be processed for statistical purposes, if the interest to do so clearly outweighs the risk of improper violation of privacy (Chapter 3, Section 7 of the Act).

Lastly, personal identity numbers may only be processed without the data subject's explicit consent if it is clearly justified, taking into account the purpose, the importance of identification and other significant reasons (Chapter 3, Section 10 of the Act).

Criminal conviction data

'Criminal conviction data' is defined by IMY as information relating to someone who:

• has committed a crime;

• has been convicted in court in a criminal case;

• has been subject to so-called criminal coercive measures, such as detention, travel bans, or seizures; or

• is a crime suspect (even if no legal proceedings have been initiated).

As a main rule, the processing of criminal conviction data is reserved for public authorities only. Criminal conviction data may however also be processed by other data controllers, if the processing is necessary in order to comply with archiving provisions (Chapter 3, Section 8 of the Act). The requirement of the processing being 'necessary' does not mean that the processing must be unavoidable. An increase in efficiency might for example be a sufficient argument as to why a certain processing activity is deemed necessary. Specific provisions on archives can, inter alia, be found in the Swedish Archive Act (SFS 1990:782) (only available in Swedish here) as well as in the Swedish Archive Ordinance (SFS 1991:446) (only available in Swedish here).

Additionally, criminal conviction data may also be processed by others than public authorities if the processing is necessary to establish, assert, or defend a legal claim, or if the processing is necessary in order to comply with a legal obligation under a law or regulation (Section 5 of the Ordinance). IMY has, however, stated that it is not permitted to process criminal conviction data on the basis of a data subject's consent.

According to the IMY Regulations, there are possible exceptions to the main rule that only public authorities may process criminal conviction data. The exceptions apply to the following situations:

• when necessary to comply with statutes applicable to social services;

• in the line of certain educational organizations' care for students;

• as part of conflict checks carried out within law firms or similar legal practices; and

• relating to individuals in key positions or other positions of leadership included in reports in a whistleblowing system.

IMY may also, in individual cases and upon application, decide to grant permission for specific processing of criminal conviction data. Notably, it is necessary to obtain such permission for the processing of criminal conviction data related to screening of individuals against third-country sanction lists (e.g., sanctions imposed by the US). The first permission (DI-2018-12122) was granted in September 2019 to the Swedish Security and Defence Industry Association, allowing its members to process criminal conviction data as part of screenings against sanctions imposed by the US. Since then, several permissions have been granted by IMY, most of them relating to screenings against sanctions imposed by the US, for the purpose of complying with anti-money laundering legislation. Further, in September 2022, IMY granted a bank permission (DI-2021-2183) to process criminal conviction data as part of the bank's efforts to comply with Swedish anti-money laundering legislation. In its decision, IMY emphasised that the provisions in the Swedish anti-money laundering legislation are too vague and imprecise to serve as a lawful ground for the processing of criminal conviction data, and it is necessary to obtain a permission to process the data in question. In October 2022, IMY also granted a company permission (DI-2021-6010) to process criminal conviction data as part of its background check service for verifying representatives of legal entities, as well as individual job seekers and consultants. However, the decision is subject to conditions. IMY stipulates that the company may only record personal data regarding criminal offenses committed by individual job seekers and consultants who are being considered for positions or assignments that are susceptible to being exploited for similar offenses, or where the offense is deemed to be of significant relevance to the person's suitability for the role or task.

Recently, IMY has drafted a proposal for new IMY Regulations to make it easier for companies to process personal data relating to violations of law, especially for checking such data against sanctions lists. The proposal will apply to companies that provide financial services under the supervision of the Swedish Financial Supervisory Authority and are obliged to comply with the requirements of the Act on Measures against Money Laundering and Terrorist Financing, as well as certain companies that export military equipment or so-called dual-use products. The proposal aims to reduce the administrative burden for both companies and the IMY, and to shorten processing times. The proposal is now out for consultation to relevant organizations and authorities (only available in Swedish here).

The Criminal Data Act applies to the processing of personal data carried out by public authorities working with crime prevention tasks, such as the Swedish Police, the Swedish Tax Authority, and the Swedish Customs. The Criminal Data Act is generally based on the same principles as the GDPR.

Under the Criminal Data Act, authorities may only process the personal data needed in order for them to be able to perform tasks relating to their crime-preventive duties, to enforce criminal sanctions, and to maintain public order and security. The authorities are, however, required to make a clear distinction between processing of personal data relating to data subjects who are suspected or convicted of an offence, and processing of personal data relating to those whose personal data is processed for other reasons, e.g., witnesses or relatives.

7.10. Controller and processor contracts

There are no variations from the GDPR.

8. Data Subject Rights

8.1. Right to be informed

There are no variations from the GDPR.

8.2. Right to access

According to Chapter 5, Section 1 of the Act, the right to access is limited if the data controller is prohibited from disclosing the personal data subject to an act or statute, or under a decision issued by a public authority pursuant to an act or statute. If the controller is a private entity, the limitation also applies to information that would have been subject to secrecy under the Public Access Act if the data controller had been a public authority.

Further, according to Chapter 5, Section 2 of the Act, a data subject does not have the right to access personal data included in text that has not yet taken its final form when the request is made, and personal notes or memos. Examples from page 202-203 of the Government Prop. 2017/18:105 are drafts, memory notes or texts drafted in order to investigate a matter further. Texts that are intended to be updated on a regular basis and are thus never completed are not subject to this exception. Note that data which has been disclosed to a third party; is processed for archiving or statistical purposes; or has been processed over a period of more than one year in running text, is not covered by the aforementioned exception and must be provided when such access is requested.

Lastly, some authorities keeping archives are exempted from the right to access.

8.3. Right to rectification

There are no variations from the GDPR.

8.4. Right to erasure

There are no variations from the GDPR.

8.5. Right to object/opt-out

There are no variations from the GDPR.

8.6. Right to data portability

There are no variations from the GDPR.

8.7. Right not to be subject to automated decision-making

There are no variations from the GDPR.

8.8. Other rights

In two rulings in November, the Supreme Administrative Court established that individuals who file a complaint have the right to appeal against the decision in the complaint case if the decision means that IMY will not do what the individual requested in their complaint.

Previously, the practice was that individual complainants did not have the right to appeal against IMY's decisions in the complaint case or in a supervisory case initiated as a result of the complaint, nor did they have the status of a party in the supervisory case.

As a result of the Supreme Administrative Court's new decisions, IMY now takes the view that individuals who report complaints are parties to the cases initiated, both in the complaint case and in the supervisory case based on the complaint. This applies to both national and cross-border cases.

9. Penalties

Sweden has not implemented any additional corrective powers for handling non-compliance with the GDPR and Swedish supplementary legislation, other than those set out in Article 58 of the GDPR. For example, Sweden has not criminalised acts of non-compliance with the GDPR. Private entities may thus be subject to administrative sanctions ranging from warnings and reprimands to administrative fines.

IMY has previously published an internal guideline for the use of its corrective powers under Article 58(2) of the GDPR. However, due to the Guideline 04/2022 from the EDPB, on the calculation of administrative fines under the GDPR, IMY has decided to revoke this guideline.

Administrative fines imposed on public authorities

In accordance with Chapter 6, Section 2 of the Act, IMY may impose administrative fines on public authorities.

The fine is maximum SEK 5 mil. (approx. $459,380) for violations stated in Article 83(4) of the GDPR and a maximum of SEK 10 mil. (approx. $918,761) for violations stated in Articles 83(5) and 83(6) of the GDPR.

Administrative fines for violations of Article 10 of the GDPR

According to Chapter 6, Section 3 of the Act, IMY may impose administrative fines for violations of Article 10 of the GDPR. In such cases, Articles 83(1) to 83(3) in the GDPR apply. The amount of the fine is set pursuant to Article 83(5) of the GDPR.

The right to give an opinion

Under Chapter 6, Section 4 of the Act, an entity that potentially may be subject to a fine on the basis of alleged misconduct has the right to express its opinion on the matter. Administrative fines may not be imposed unless the entity subject to the potential fine has been given the opportunity to give an opinion in the matter within five years from the date of the violation.

9.1 Enforcement decisions

During the first years after the GDPR entered into force, IMY's enforcement decisions focused on rectifying illegitimate processing of personal data resulting from a lack of guidance and precedents. IMY seemed hesitant to impose large administrative fines in such cases, and the consequences of wrongful processing was generally limited to warnings and reprimands, offering the data controllers a chance to rectify their mistakes. However, with time, IMY has become less lenient and has issued administrative fines. Furthermore, IMY has clearly communicated that investigations, and consequently enforcement decisions, will be a focus area for the authority moving forward.

IMY's enforcement decisions have, inter alia, concerned the areas listed below.

• illegitimate video surveillance and use of facial recognition technology;

• illegitimate publishing and processing of special categories of personal data;

• failure to notify affected data subjects and the supervisory authority about a data breach;

• failure to provide information to data subjects;

• failure to ensure an appropriate level of security;

• failure to comply with the obligation to remove a search listing; and

• illegitimate processing of credit information.

Some of the more notable enforcement decisions are listed below.

2019

• In August 2019, IMY imposed its first administrative fine under the GDPR. It was imposed on a municipality in Sweden for using facial recognition to monitor attendance in a school. The school processed special categories of personal data (biometric data) relating to children unlawfully, and had also failed to conduct a proper DPIA. IMY considered certain mitigating circumstances (that the use of facial recognition was only carried out for a short trial period of three weeks and was limited to 22 data subjects) when determining the fine, which amounted to SEK 200,000 (approx. $18,375).

2020

• In March 2020, a multinational technology company was fined for not fulfilling its obligations in respect of the right to request delisting. The fine was SEK 75 mil. (approx. $6.8 mil.). The company appealed IMY's decision to the Stockholm Administrative Court which affirmed the fine but lowered the amount fined to SEK 52 mil. (approx. $4.7 mil.), with reference to the fact that the breach of the regulation only concerned one single individual. The company appealed the Administrative Court's decision to the Court of Appeal, which further lowered the fine to SEK 50 mil. (approx. $4.5 mil.). The case was appealed to the Supreme Administrative Court, which decided not to grant leave to appeal;

• In November 2020, the Board of Education in the City of Stockholm was fined SEK 4 mil. (approx. $367,448) after an investigation performed by IMY showed serious deficiencies in the security of an IT platform processing, inter alia, special categories of personal data and personal data regarding data subjects with protected identity. The Board of Education in the City of Stockholm appealed the decision to the Administrative Court which reduced the fine to SEK 3 mil. (approx. $275,586). IMY appealed the decision to the Court of Appeal, which in turn increased the amount of the fine to SEK 4 mil. (approx. $367,450). The decision was appealed, but the Supreme Administrative Court decided not to grant leave to appeal;

• In December 2020, IMY imposed fines against seven healthcare providers due to insufficiencies in how they governed and restricted staff access to their main systems for electronic patient data records. The fines ranged from SEK 2.5 mil. (approx. $229,656) up to SEK 30 mil. (approx. $2.7 mil.). Some of the healthcare providers did not agree with IMY's assessment and decided to appeal. The Administrative Court ruled against the applicants but lowered the fine from SEK 30 mil. (approx. $2.7 mil.) to SEK 10 mil. (approx. $918,574). The decision was appealed to the Court of Appeal , which ruled in favor of the applicants; overturning IMY’s, as well as Administrative Court’s, decision. The case was appealed to the Supreme Administrative Court, which decided not to grant leave to appeal; 

• In December 2020, IMY fined a public university SEK 550,000 (approx. $50,524) for processing special categories of personal data, concerning topics such as sexual life and health through, inter alia, storage in a cloud service, without sufficiently protecting the personal data.

2021

• In February 2021, IMY fined the Police Authority SEK 2.5 mil. (approx. $229,656) for using Clearview AI in violation of the Criminal Data Act. IMY concluded that the Police Authority processed biometric data in contravention with the requirements of the Criminal Data Act and should have conducted a DPIA. The Police Authority appealed the decision. The appeal was rejected by the Administrative Court. However, the decision to reject the appeal and IMY’s decision was set aside by the Court of Appeal, which ruled in favor of the Police Authority. The case has been appealed to the Supreme Administrative Court;

• In June 2021, IMY fined a provider of telephone healthcare advice SEK 12 mil. (approx. $1.1 mil.) for processing calls with future patients on an unsecured server. The fine was appealed to the Administrative Court, which lowered the fine to SEK 7.8 mil. (approx. $716,640). IMY in turn appealed to the Court of Appeal, which determined the fine to SEK 11.3 mil. (approx. $1.03 mil.). A total of three companies and three regional authorities were implicated in the matter, resulting in fines for one additional company and the three regional authorities. The regional authorities were found to be in breach of their notification obligations;

• In June 2021, IMY fined the public transport company in Stockholm SEK 16 mil. (approx. $1.4 mil.) for placing body cameras on ticket controllers. The Company was found to be in breach of the fundamental principles of Articles 5(1)(a) and 5(1)(c) of the GDPR, lacked a legal basis for processing personal data on passengers, and failed to inform the passengers of the data processing. The company appealed the decision. The Administrative Court partially upheld the appeal and reduced the administrative fine to SEK 12 mil. (approx. $1.1 mil.). The appeal was otherwise rejected. IMY appealed the decision of the Court of Appeal. The Court of Appeal overturned the decision of the Administrative Court and IMY's decision with respect to the fine for lack of information to the registered parties and set the fee to SEK 8 mil. (approx. $ 735,073 ). The appeal was otherwise rejected. IMY appealed the judgment, and the Supreme Administrative Court granted leave to appeal in November 2023;

• In November 2021, IMY reprimanded a digital music service for failing to correct a customer's information in a timely manner and for failing to provide a customer service representative with a copy of the individual's personal data. The company appealed the decision. The Administrative Court rejected the appeal;

• In December 2021, IMY identified that a credit reference agency was supplying credit reports without verifying that the personal data was accurate and up to date. IMY ordered the company to comply with the accuracy provisions in Article 5(1)(d) of the GDPR. The credit reference agency appealed the order to the Administrative Court, which rejected the appeal.

2022

• In March 2022, IMY imposed an administrative fine of SEK 7.5 mil. (approx. $ 689,102) against a fintech company for failing to inform data subjects of its processing activities and data retention periods in a sufficiently clear manner. The company appealed the decision. The Administrative Court reduced the fine to SEK 6 mil. (approx. $ 551,270). IMY appealed the decision and the Court of Appeal increased the fine to SEK 7.5 mil. (approx. $689,102).

2023

• In January 2023, IMY imposed an administrative fine of SEK 200,000 (approx. $18,369) against Region Dalarna for sending appointment letters by post to patients with sensitive personal data visible in window envelopes. Region Dalarna appealed the decision. The Administrative Court rejected the appeal. Region Dalarna has appealed the decision, and the Court of Appeal has granted leave to appeal;

• In June 2023, IMY imposed an administrative fine of SEK 58 mil. (approx. $5.3 mil.) against a digital music service. According to IMY, the information provided by the digital music service to data subjects when responding to requests for access was insufficient. The decision has been appealed;

• In June 2023, IMY imposed an administrative fine of SEK 13 mil. (approx. $1,19 mil.) against a news company for profiling its customers and web visitors without their consent. The decision has been appealed;

• In June 2023, IMY imposed an administrative fine of SEK 12 mil. (approx. $1.1 mil.) against a telephone company for transferring personal data to the United States via an analysis tool. The decision has been appealed;

• In August 2023, IMY imposed an administrative fine of SEK 35 mil. (approx. $3.2 mil.) against an insurance provider for having security flaws that resulted in 650,000 customers’ data being accessible online between October 2018 and February 2021;

• In October 2023, IMY imposed an administrative fine of SEK 350,000 (approx. $32,140) against a retail company. IMY found that the company had failed to, without undue delay, cease the processing of the complainants' personal data for direct marketing purposes, despite the complainants' objections.

2024

• In January 2024, IMY reprimanded a fintech company for failing to facilitate the exercise of a complainant's right of rectification and for not allowing the complainant to change their email address.