The Swedish Data Protection Act


Today the processing of personal data in Sweden is regulated in the Personal Data Act (Sw. Personuppgiftslag (1998:204)). On 25 May 2018, the EU’s General Data Protection Regulation (the ”GDPR”) will apply in all EU Member States and it will replace the Personal Data Act.

As the GDPR allows for national legislators to enact certain supplementary provisions, the Swedish Government commissioned a Swedish Governmental commission of inquiry called the Data Protection Commission, to propose the new national laws that will supplement the GDPR. The Data Protection Commission proposed that the Personal Data Act should be replaced with a new act of general nature, the act containing supplementary provisions to the EU General Data Protection Regulation (Sw. lagen med kompletterande bestämmelser till EU:s dataskyddsförordning) (the “Data Protection Act”).

The main purpose of the Data Protection Act is to supplement the GDPR’s provisions in Sweden on a general level, therefore, the act will not be comprehensive and instead, we can expect more sector-specific laws in the future. Furthermore, the Data Protection Act will extend the applicability of relevant provisions of the GDPR to areas not covered by EU law, such as national security. It is worth noticing that the right to obtain compensation from the data controller or data processor, for damages suffered as a result of a breach of the GDPR, should also apply to breaches of the new Data Protection Act or further related Swedish laws that are complementary to the GDPR. Furthermore, the Data Protection Commission proposes that also governmental authorities shall be subject to administrative fines if they violate the data protection regulations, similarly to enterprises or other private parties.

In Sweden, the Fundamental Law on Freedom of Expression (Sw. Yttrandefrihetsgrundlag (1991:1469)) and Freedom of the Press Act (Sw. Tryckfrihetsförordning (1949:105)) is considered fundamental to the Swedish society and is given priority over GDPR in areas governed by these constitutional acts, which is clarified in the proposed Data Protection Act. Furthermore, the Data Protection Act introduces exemptions from certain provisions of the GDPR for the processing of personal data for journalistic purposes or for academic, artistic or literary expression.

When processing personal data in relation to information society services, the GDPR allows children over the age of 16 to give valid consent. For younger children, consent must be given or approved by a custodial parent. However, according to the proposed Data Protection Act the age limit for valid consent in Sweden will be 13 years old.

Furthermore, the Data Protection Commission seeks to clarify how some of the legal grounds enshrined in the GDPR for the processing of personal data will be established in Swedish law. For example the legal grounds ”fulfilment of tasks of general public interest and exercise of official authority” and “legal obligation” may be applied if it follows from i.a. a collective agreement which is now stated in the proposed legislation.

As a general rule processing of sensitive personal data is prohibited under the GDPR, however there is some exemptions set out in the regulation. There is also a possibility to introduce such exemptions in national law, and the Data Protection Commission proposes such provisions in the areas of employment law, health and medical care, social care, archiving and statistical activities.

The processing of personal identity numbers will remain the same. Personal identity numbers may still be processed even though no valid consent has been given, if the processing is clearly justified with respect to the purposes of the processing, the importance of positive identification or some other significant reason.

According to the GDPR, the data protection officers (“DPO”) shall be bound by secrecy or confidentiality in accordance with EU or national law. Therefore, the Data Protection Commission proposes new provisions regarding the confidentiality obligations of the DPOs. DPOs in the private sector will be bound by confidentiality where the DPO has acquired knowledge of personal or financial circumstances of an individual. DPOs within public authorities are already bound by confidentiality, as they must abide by the confidentiality provisions of the Public Access to Information and Secrecy Act (Sw. Offentlighets- och sekretesslag (2009:400)).

The GDPR allows for certain restrictions regarding the rights of data subjects under national law. The Data Protection Commission proposes to introduce such a restriction in the Data Protection Act, meaning that the right to access shall not apply if the personal data is subjected to secrecy or as a main rule where personal data is contained in running texts that constitute rough drafts or notes.


Article provided by Vencel Hodák & Paulina Rehbinder / Synch Advokat AB / Sweden


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

CPC project office: Dr. Tobias Hö


What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.