Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Sweden: IMY publishes proposal on processing of personal data concerning legal violations

On September 18, 2023, the Swedish data protection authority (IMY) published a proposal for regulations on the processing of personal data about legal violations. The IMY highlighted that it regularly receives many applications for permission to process personal data regarding legal violations by organizations, particularly in the defense and financial sectors. Notably, the IMY details that the processing for submitting an application and its potential approval requires extensive time and effort for a decision, with the proposal aiming to simplify applications and approvals.

Specifically, the proposal provides that companies under the supervision of the Financial Supervisory Authority that offer financial services and that are obliged to comply with measures on anti-money laundering and the financing of terrorism may process personal data referred to under Article 10 of the General Data Protection Regulation (GDPR), namely criminal convictions records, for checks against sanction list where:

  • the sanction lists are publicly available on the websites of issuing authorities or intergovernmental organizations; and
  • the companies have taken relevant measures to distinguish between genuine and false sanctions.

However, the proposal clarifies that the processing of personal data by financial sector organizations may only concern the companies' existing and prospective customers, existing and prospective suppliers, cooperation partners, intermediaries, employees, job seekers, contractors, board members, and authorized representatives among others.

In addition, the proposal provides that personal data referred to under Article 10 of the GDPR may be processed where the processing is necessary to check that fraud does not exist in legal practice or other legal activities. In education, the proposal stipulates that personal data referred to under Article 10 of the GDPR may be processed if the processing relates to information in notes kept in independent schools student care activities or in the corresponding activities of individual organizations of higher education.

The proposal also outlines circumstances for processing personal data regarding legal violations for organizations in social care and defense.

You can read the press release here, the proposal here, and the list of organizations to which the proposal has been sent here, all only available in Swedish.