Support Centre

Sweden

Summary

Law: The primary pieces of legislation are the Act with Supplementary Provisions to the GDPR (SFS 2018:218) (only available in Swedish here) (an unofficial English version of the Act is available here) ('the Act'), Ordinance with Supplementary Provisions to the GDPR (SFS 2018:219) (only available in Swedish here) (an unofficial English version of the Ordinance is available here) ('the Ordinance') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')

Regulator: The Swedish Authority for Privacy Protection ('IMY')

Summary: The GDPR was implemented in Sweden in 2018 when the former Data Protection Act (1998:204) was repealed and replaced with the Act. However, although the Data Act and the Ordinance supplement the GDPR, they are subsidiary to other laws. This means that provisions in special laws which deviate from what is stated in the Act or the Ordinance will prevail, provided, of course, that the special law complies with the GDPR and concerns a matter which the GDPR allows to be separately regulated or specified in national law. IMY is also the relevant supervisory authority under, for example, the Criminal Data Act, the Camera Surveillance Act (2018:1200) (only available in Swedish here), the Patient Data Act (2008:355) (only available in Swedish here), and the Credit Information Act (1973:1173) (only available in Swedish here).

Feedback