SWEDEN

CHART INSTRUCTIONS:

 Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.

name

Förordning (2018:219) med kompletterande bestämmelser till EU:s dataskyddsförordning

Status: Adopted

SME EXCEPTION

No Deviation

LAWFULNESS OF PROCESSING (ART 6)

No Deviation

CHILD'S CONSENT (ART 8)

SPECIFYING REQUIREMENT: 

Age: A user must be at least 13 years old to consent to information society services directed at children (Ch 3 Sec 4 Swedish Act). Sensitive data (genetic, biometric, and health data)

SENSITIVE DATA (GENETIC, BIOMETRIC AND HEALTH DATA) (ART 9 (4))

DEVIATING REQUIREMENT: 

Social Security Number Processing: The processing of social security numbers is permitted without the data subject’s consent when this is necessary for security or authentication purposes (Ch 3 Sec 9 Swedish Act).

CRIMINAL CONVICTIONS/SECURITY MEASURES (ART 10)

SPECIFYING REQUIREMENT:

The processing of criminal data may be carried out by persons other than official authorities if the processing is necessary for (1) the establishment, exercise, or defense of legal claims; or (2) a legal obligation. The Swedish SA may decide on a case-by-case basis if persons other than official authorities may process such personal data (Sec 5 & 6 Swedish Reg).

 

POTENTIAL REGULATIONS:

The Swedish SA may issue additional regulations where persons other than official authorities may process criminal data (Sec 6 Swedish Reg).

INFORMATION OBLIGATION (ART 13 & 14)

No Deviation

AUTOMATED INDIVIDUAL DECISION-MAKING (ART 22)

No Deviation

RESTRICTIONS TO DATA SUBJECT'S RIGHTS (ART 23)

DEVIATING REQUIREMENT:

Right of Access: The data subject’s right of access is limited when the data controller is not permitted to disclose the personal data of the data subject on the basis of local law (Ch 5 Sec 1 Swedish Act). In addition, this right is restricted if the personal data is included in a non-finalized document, unless (1) the data is already made publicly available; (2) the data is treated solely for archival purposes in the general interest or statistical purposes; or (3) the document has been in a “non-finalized” state for more than a year (Ch 5 Sec 2 Swedish Act).

JOINT CONTROLLER RESPONSIBILITIES (ART 26 (1))

No Deviation

AD HOC NOTIFICATIONS - RECORDS OF PROCESSING ACTIVITIES (ART 30)

No Deviation

SECURITY OF PROCESSING (ART 32)

No Deviation

DATA BREACH (ART 33 & 34)

No Deviation

DATA PROTECTION IMPACT ASSESSMENT (ART 35)

No Deviation

DATA PROTECTION OFFICER (ART 37(4))

No Deviation

CERTIFICATION (ART 42)

No Deviation

DATA TRANSFER DEROGATIONS (ART 49(5))

No Deviation

POWERS SUPERVISORY AUTHORITIES (ART 58)

No Deviation

CLASS ACTIONS (ART 80 (2))

No Deviation

ADMINISTRATIVE SANCTIONS (ART 83)

SPECIFYING REQUIREMENT: 

1. Maximum Administrative Fines Converted into SEK: The maximum administrative fines set forth by the GDPR are converted into SEK as follows:

(a) The cap of €10 million or 2% of annual global turnover included in Art 83(4) GDPR is capped at 5 million SEK (the equivalent of €484,793) by the Swedish Act (Ch 6 Sec 2 Swedish Act).

(b) The cap of €20 million or 4% of annual global turnover included in Art 83(5) and (6) GDPR is capped at 10 million SEK (the equivalent of €968,600) by the Swedish Act (Ch 6 Sec 2 Swedish Act).

2. State Budget: Administrative fines collected go to the state budget (Ch 6 Sec 5 Swedish Act).

3. Collection of Fine Within 30 Days: Administrative fines must be paid within 30 days of the decision issuing the administrative fine (Ch 6 Sec 6 Swedish Act).

PENALTIES (ART 84)

No Deviation

FREEDOM OF EXPRESSION & INFORMATION (ART 85)

No Deviation

HR PROCESSING (ART 88)

No Deviation

PROCESSING FOR ARCHIVING, SCIENTIFIC, HISTORICAL RESEARCH OR STATISTICAL PURPOSES (ART 89)

DEVIATING REQUIREMENT: 

Scope of Application Carve-Out: The Swedish Act does not apply to processing personal data for journalistic, academic, or artistic purposes (Ch 1 Sec 7 of the Swedish Act).

OBLIGATIONS OF SECRECY (ART 90)

No Deviation

Remarks

Confirms the Datainspektionen’s role as the Swedish SA (Sec 3 Swedish Reg).