Sweden: IMY publishes proposal on processing of personal data concerning legal violations
On September 18, 2023, the Swedish data protection authority (IMY) published a proposal for regulations on the processing of personal data about legal violations. The IMY highlighted that it regularly receives many applications for permission to process personal data regarding legal violations by organizations, particularly in the defense and financial sectors. Notably, the IMY details that the processing for submitting an application and its potential approval requires extensive time and effort for a decision, with the proposal aiming to simplify applications and approvals.
Specifically, the proposal provides that companies under the supervision of the Financial Supervisory Authority that offer financial services and that are obliged to comply with measures on anti-money laundering and the financing of terrorism may process personal data referred to under Article 10 of the General Data Protection Regulation (GDPR), namely criminal convictions records, for checks against sanction list where:
- the sanction lists are publicly available on the websites of issuing authorities or intergovernmental organizations; and
- the companies have taken relevant measures to distinguish between genuine and false sanctions.
However, the proposal clarifies that the processing of personal data by financial sector organizations may only concern the companies' existing and prospective customers, existing and prospective suppliers, cooperation partners, intermediaries, employees, job seekers, contractors, board members, and authorized representatives among others.
In addition, the proposal provides that personal data referred to under Article 10 of the GDPR may be processed where the processing is necessary to check that fraud does not exist in legal practice or other legal activities. In education, the proposal stipulates that personal data referred to under Article 10 of the GDPR may be processed if the processing relates to information in notes kept in independent schools student care activities or in the corresponding activities of individual organizations of higher education.
The proposal also outlines circumstances for processing personal data regarding legal violations for organizations in social care and defense.