June 2023

1. Governing Texts

Sweden has a long history of safeguarding personal data and was the first country to adopt data protection legislation when the Swedish Data Act (SFS 1973:289) (only available in Swedish here) ('the 1973 Data Act') gained legal force in 1973. With the implementation of the 1973 Data Act, the Swedish Data Protection Authority was established with the purpose of e.g. granting the necessary permits for the processing of personal data. During the years following the adoption of the 1973 Data Act, the Swedish data protection legislation has been subject to significant changes, mostly as a result of Sweden being a Member State of the EU. The Swedish data protection regime now consists of laws supplementing the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), as well as so called register statutes primarily designed to regulate public authorities' processing of personal data.

While the laws supplementing the GDPR were drafted in connection with the GDPR entering into force, many of the so called register statutes existed prior to the GDPR. These were simply updated with references to the GDPR, instead of the former Swedish Personal Data Act (SFS 1998:204) ('the 1998 Act'), which implemented the Data Protection Directive (Directive 95/46/EC). This means that in order to gain a comprehensive understanding of the Swedish data protection regime, it is important to not limit oneself to the data protection legislation but also consult the applicable register statutes.

The Swedish Authority for Privacy Protection ('IMY'), previously the Swedish Data Protection Authority, is the supervisory authority in matters concerning data protection. IMY's overall task is to safeguard individual privacy in this information age, and, as previously mentioned, has been doing so for the past  50 years.

1.1. Key acts, regulations, directives, bills

In connection with the GDPR entering into force, the 1998 Act was revoked and replaced by the Act with Supplementary Provisions to the GDPR (SFS 2018:218) (only available in Swedish here) (an unofficial English version of the Act is available here) ('the Act'). In addition to the Act, the Ordinance with Supplementary Provisions to the GDPR (SFS 2018:219) (only available in Swedish here) (an unofficial English version of the Ordinance is available here) ('the Ordinance') was adopted by the Swedish Government ('the Government').

The aforementioned legislative act and ordinance serve the purpose of supplementing the GDPR and governing the overall processing of personal data in Sweden. However, other legislative acts target specific data processing activities. For example, the Swedish Patient Data Act (SFS 2008:355) (only available in Swedish here) ('the Swedish Patient Data Act') regulates how personal data may be processed within the healthcare sector, and the Swedish Credit Information Act (SFS 1973:1173) (only available in Swedish here) safeguards individuals' privacy in connection with credit information services.

1.2. Guidelines

IMY is responsible for issuing guidelines on data protection matters. Furthermore, IMY is tasked with supervising and inspecting compliance with the GDPR and the Swedish supplementary legislation.

IMY regularly issues guidelines, mainly through articles on its website. For example, IMY has published a checklist that entities can use as a tool to ensure that their processing of personal data is compliant with the GDPR as well as the Swedish supplementary legislation (only available in Swedish here). Moreover, IMY has also made available a Q&A containing frequently asked questions (only available in Swedish here).

For a more detailed description of IMY's tasks relating to guidelines, see the section on Regulatory Authority below.

1.3. Case law

Since 2018, IMY has made several enforcement decisions under the GDPR. While some decisions have resulted in an obligation to pay administrative fines, others have been limited to warnings and reprimands. For more detailed information regarding IMY's enforcement decisions, see the section on enforcement decisions below.

Under Swedish law, formal decisions ordered by IMY may be appealed to the Swedish administrative courts. The cases which have been tried by the administrative courts include, e.g., the following types of decisions:

• Gothenburg Administrative Court of Appeal, case nr 1677-19. In this case, the Court ruled in favor of the applicant; a declined request to access an extract from a data controller's internal register;
• Gothenburg Administrative Court of Appeal, case nr 2232-21. In this case, Google LLC was fined for not fulfilling its obligations in respect of the right to request delisting (right to be forgotten under the GDPR). The Court affirmed the fine set by the Stockholm Administrative Court, but lowered it from SEK 52 million (approx. €4.46 million) to SEK 50 million (approx. €4.29 million). The fine was lowered as the Court ruled that Google had not violated any provisions of the GDPR with reference to the individual complaints, but only with reference to its internal procedures. Google appealed the decision, but on 20 December 2022, the Supreme Administrative Court decided not to grant leave to appeal;
• Stockholm Administrative Court of Appeal, case nr 5200-18. In this case, the Court ruled in favour of the applicant; a declined request to access a personal data breach notification submitted to IMY; and
• Stockholm Administrative Court of Appeal, case nr 4548-21. In this case, a hospital was fined for not appropriately securing personal data related to patients. The Stockholm Administrative Court had ruled against the applicant but lowered the fine from SEK 30 million (approx. €2.57 million) to SEK 10 million (approx. €860,130). The Court ruled in favour of the applicant, overturning IMY's as well as Stockholm Administrative Court's decision. The case has been appealed to the Supreme Administrative Court.

While cases from the administrative courts and the courts of appeal do not set precedents, they do guide how the law is applied.

IMY has been party to 141 cases in the Swedish administrative courts since the GDPR started to apply. Most of these cases are appeals by individuals who have submitted complaints to IMY that have not resulted in an investigation. Only a limited number of cases are appeals of IMY's supervisory decisions. However, most supervisory decisions that include a fine are appealed.

With IMY's increased focus on enforcement and investigations it can be anticipated that more enforcement decisions will be tried by the administrative courts in the near future. At the time of writing, 37 supervisory decisions by IMY have been appealed (available in Swedish here).

2. Scope of Application

2.1. Personal scope

The Swedish data protection legislation applies as set forth in the GDPR.

2.2. Territorial scope

As stipulated regarding the legal age of consent for children for the processing of their personal data, Chapter 2, Section 4 of the Act shall apply to all children living in Sweden, regardless of where the data controller or data processor is established.

There are no other deviations from the GDPR apart from the aforementioned.

2.3. Material scope

Contrary to what is stated in Article 2 of the GDPR, Chapter 1, Section 2 of the Act extends the scope of the GDPR to apply also to the processing of personal data in cases of:

• an activity which falls outside of the scope of Union law; and
• carrying out activities which fall within the scope of Chapter 2 of Title V of the Treaty on European Union.

However, the GPDR does not apply if the activities are also covered by:

• Act on Processing of Personal Data in the  Swedish Armed Forces (SFS 2021:1171) (only available in Swedish here); or
• Act on the Swedish Security Service's Processing of Personal Data (SFS 2019:1182) (only available in Swedish here).

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

IMY is the Swedish supervisory authority responsible for safeguarding the privacy of individuals. Ensuring compliance with the GDPR and Swedish supplementary legislation thus falls within the scope of IMY's tasks.

IMY is an independent public authority governed by a Director General, appointed by each elected Government for every four-year term. However, it is worth noting that the Government, at its discretion, may terminate an appointment pre-maturely, as well as extend an appointment beyond the stipulated four years.

The Director General is obligated to regularly report to IMY's Supervisory Council, which is comprised of nine members, including the Director General (chair), members of parliament and other individuals with relevant positions and qualifications, such as law professors, representatives of branch and employer associations, and officials from other public authorities.

3.2. Main powers, duties and responsibilities

As stipulated in Section 1 of the Ordinance on Instructions for Swedish Authority for Privacy Protection (SFS 2007:975) (only available in Swedish here), IMY's overarching goals are to 'work to ensure that people's fundamental rights and freedoms are protected in connection with processing of personal data, to facilitate the free movement of such data within the EU and to work to ensure that good practice is observed in credit rating and debt recovery activities'.

To fulfil the aforementioned goals, IMY is tasked with enforcing and overseeing compliance with the GDPR and Swedish supplementary legislation for the purpose of safeguarding the right to privacy. However, note that IMY is not responsible for overseeing compliance related to the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive'), which is instead overseen by the Swedish Post and Telecom Authority. IMY is also not able to oversee activities that are protected by the Swedish Freedom of Press Act (SFS 1949:105) (only available in Swedish here) ('the Press Act') or the Swedish Fundamental Law on Freedom of Expression (SFS 1991:1469) (only available in Swedish here) ('the Freedom of Expression Law'), two of the four constitutional Acts, which comprise the Constitution of Sweden.

In order to monitor compliance, IMY is authorized to conduct inspections. These are for the most part carried out by way of written procedures whereby a data controller or data processor is asked to provide information and documentation relating to certain topics and questions. IMY is, however, also authorized to request and gain access to a legal entity's premises in order to conduct on-site inspections. Based on IMY's review of the information gathered during such inspections, IMY announces a decision or order which, depending on the nature of any possible shortcomings, may include various sanctions.

IMY is authorized to impose administrative fines. For less serious misconduct, IMY may also decide to issue warnings, reprimands, or specific orders, stating e.g. that an entity must cease to perform certain data processing activities. The latter may, for the purpose of ensuring compliance, be combined with a conditional fine.

A decision by IMY to initiate an inspection is based on its inspection policy and its biannual inspection plan. In the biannual inspection plan, IMY determines the focus of its inspection efforts during the upcoming two-year period. Thus, the inspection plan is valuable to companies seeking to understand in which direction the Swedish data protection regime will develop within the near future. However, IMY may also, at its own discretion, initiate inspections on the basis of e.g. individual complaints, tip-offs, or reports in the media.

In addition to monitoring compliance and conducting inspections, IMY is authorized to issue statutes regarding data protection. IMY has, inter alia, issued a statute for the processing of personal data concerning violations of law (DIFS 2018:2) (only available in Swedish here) ('the IMY Regulations'), which focuses on scenarios in which private entities may process personal data connected to criminal offenses and violations of law.

IMY is also granted authority to give advice on data protection issues, disseminate knowledge, and participate in the development of new soft law instruments (such as guidelines, recommendations, etc). IMY is also regularly asked to review proposals for new or amended laws as a consulting body, and participates on expert commissions and committees.

Generally, IMY's guidance is heavily inspired by guidance from the European Data Protection Board ('EDPB') and highlights its key aspects. This is the case with e.g. guidelines for CCTV. From its guidance, it is evident that IMY's intention is to work towards a harmonized interpretation of the GDPR amongst the EU Member States, rather than creating national deviations or differences in interpretation.

Finally, IMY regularly holds training and seminars covering various topics within the area of data protection. During such training and seminars, IMY may provide guidance and recommendations which are not publicly available on its website. They thus constitute an important tool for IMY in presenting a more nuanced picture than can be accomplished solely by written guidelines.

4. Key Definitions

Data controller: There are no variations from the GDPR (Chapter 1, Section 1 of the Act).

Data processor: There are no variations from the GDPR (Chapter 1, Section 1 of the Act).

Personal data: There are no variations from the GDPR (Chapter 1, Section 1 of the Act).

Sensitive data: There are no variations from the GDPR (Chapter 1, Section 1 of the Act).

Health data: There are no variations from the GDPR (Chapter 1, Section 1 of the Act). Note, however, that data processed by health care providers is specifically regulated by the Swedish Patient Data Act.

Biometric data: There are no variations from the GDPR (Chapter 1, Section 1 of the Act). Note, however, that data processed by health care providers is specifically regulated by the Swedish Patient Data Act.

Pseudonymisation: There are no variations from the GDPR (Chapter 1, Section 1 of the Act).

5. Legal Bases

5.1. Consent

There are no variations in Swedish supplementary legislation as regards the consent of adults. For information regarding the consent of children, see further Section on children's data below.

5.2. Contract with the data subject

There are no variations from the GDPR.

5.3. Legal obligations

In Chapter 2, Section 1 of the Act, the Swedish legislator prescribes that processing based on Article 6(1)(c) of the GDPR is allowed only if the processing is necessary for the controller to be able to comply with a legal obligation that follows from an act or other statute, from collective agreements, or from decisions issued pursuant to an act or other statute.

5.4. Interests of the data subject

There are no variations from the GDPR.

5.5. Public interest

Chapter 2, Section 2 of the Act stipulates that the legal basis as set out in Article 6(1)(e) of the GDPR shall provide a possibility for public authorities to lawfully process personal data in their performance of tasks in the public interest or when they exercise public authority. The former constitutes a task that:

• is carried out in the public interest; and
• follows either from an act or statute, from collective bargaining agreements, or from decisions issued by public authorities pursuant to an act or statute.

According to Government Bill Prop. 2017/18:105 (only available in Swedish here) ('Government Prop. 2017/18:105') (p.190), private entities may only rely on this legal basis (if otherwise applicable) when performing a public task or exercising public authority.

5.6. Legitimate interests of the data controller

There are no variations from the GDPR.

5.7. Legal bases in other instances

The Government or IMY, according to Chapter 2, Section 3 of the Act, may issue statutes and, with respect to IMY, announce decisions, to the effect that controllers may process personal data for archiving purposes in the public interest. The definition of archiving in public interest corresponds to the reason given in Recital 158 of the GDPR. A decision rendered by IMY may be subject to further conditions.

6. Principles

There are no variations from the GDPR.

7. Controller and Processor Obligations

7.1. Data processing notification

Dating back to the implementation of the Swedish Data Act in 1973, entities that were processing personal data had an obligation to notify IMY of their personal data processing activities. However, with the implementation of the GDPR, such obligations were removed and entities are no longer required to notify IMY of their personal data processing.

7.2. Data transfers

Although Swedish supplementary law does not prohibit or limit transfers of personal data in general, there are certain limitations on transfers of special categories of personal data. Chapter 3, Section 2 of the Act restricts transfers of special categories of personal data when they are processed for the purpose of enabling a data controller or a data subject to fulfill their obligations and exercise their special rights within labor legislation and in the areas of social security and social protection. The disclosure of special categories of personal data to a third party under these circumstances is only permitted if:

• there is an obligation within labor legislation or in the areas of social security and social protection for the data controller to do so; or
• the data subject has expressed their consent to such disclosure.

Furthermore, the Swedish Criminal Data Act (SFS 2018:1177) (only available in Swedish here) (the 'Criminal Data Act'), which applies to processing of personal data carried out by authorized public authorities for the purpose of preventing, averting or discovering criminal activities, investigating crimes or prosecuting criminals, executing criminal sanctions, and maintaining public order and security, contains specific requirements regarding transfers of personal data. Authorized public authorities may, according to Chapter 8, Section 1 of the Criminal Data Act, with a few exceptions, transfer personal data to a third country or an international organization only if the transfer is:

• necessary to prevent, avert or discover criminal activities, investigate crimes or prosecute criminals, execute criminal sanctions, or maintain public order and security;
• directed to an authorized public authority in a third country or an international organization which is an authorized authority; and
• subject to either an adequacy decision, appropriate safeguards, or a derogation for a specific situation.

Additionally, Chapter 8, Section 2 of the Criminal Data Act stipulates that, as a general rule, a Swedish authority may only transfer personal data received from another EU Member State to a third country or international organization if such EU Member State grants its approval prior to the transfer. However, if a transfer is necessary for the aversion of an immediate and serious threat against public security, or threats against Sweden's or another EU Member State's key interests, such prior approval is not required.

Finally, when transferring personal data subject to the Criminal Data Act to another EU Member State, other conditions may not be imposed than those which may be imposed in relation to a Swedish recipient, unless otherwise explicitly stated in law or regulation (Chapter 2, Section 20 of the Criminal Data Act).

7.3. Data processing records

As stipulated in Article 30 of the GDPR, all data controllers and data processors must maintain a data processing record unless they are subject to the exceptions set forth in Article 30(5) of the GDPR. In addition to the exceptions provided for in the GDPR, under Chapter 1, Section 7 of the Act, the obligation to keep a record of processing activities does not apply to the processing of personal data carried out for journalistic purposes, academic, artistic, or literary creation.

Furthermore, Chapter 1, Section 7 of the Act states that the obligation to maintain a record of processing activities does not apply if such obligation is in conflict with the Press Act or the Freedom of Expression Law. This implies, inter alia, that processing of personal data which is an inherent part of exercising constitutional rights to produce and disseminate opinions, as well as the freedom to acquire and disclose information, are excluded from the scope of the GDPR. These aforementioned national variations are based on the possibility for exemptions or derogations pursuant to Article 85 of the GDPR.

7.4. Data protection impact assessment

Swedish supplementary legislation does not give any account for variations from the GDPR concerning when a Data Protection Impact Assessment ('DPIA') is required, apart from the exceptions described below. IMY has, in accordance with Article 35(4) of the GDPR, established a list of activities that require a prior DPIA to be performed. IMY has stated in its DPIA Blacklist that a DPIA shall be carried out if the planned data processing activities meet two or more of the criteria in the list below (with some exceptions):

• evaluation or scoring;
• automated-decision making with legal or similar significant effect;
• systematic monitoring;
• special categories of data or data of a highly personal nature;
• data processed on a large scale;
• matching or combining datasets;
• data concerning vulnerable data subjects;
• innovative use or applying new technological or organizational solutions, e.g. Internet of Things ('IoT') applications; and
• when the processing in itself prevents data subjects from exercising a right, using a service or a contract.

In this regard, the EDPB has published the following Opinion for Sweden:

• Opinion 20/2018 on the Draft List of the Competent Supervisory Authority of Sweden regarding the Processing Operations Subject to the Requirement of a Data Protection Impact Assessment (Article 35.4 GDPR)

The criteria listed above may seem familiar to those who are aware of guidelines from the European Data Protection Supervisor ('EDPS') concerning when a DPIA is required. This is due to the fact that IMY's list of criteria mirrors the list provided in that guidance. In addition to the aforementioned list of criteria, IMY has published guidance (only available in Swedish here) in the form of questions and examples which aims to assist data controllers in assessing whether or not a specific personal data processing activity requires a prior DPIA to be performed.

IMY has also provided a number of specific examples (only available in Swedish here) of personal data processing activities which entail that a DPIA shall be carried out. The activities are divided into the areas of work life, marketing, processing of special categories of personal data, private sector, public sector, and technology and include, inter alia, the following:

• providing internet-connected products for consumers' homes (smart home products), e.g. in order to be able to control heating, lighting, or audio playback remotely, where such products collect detailed information on how customers use the services;
• businesses that collect personal data, including, inter alia, location data, which arise through the use of smart cars, e.g. in order to develop the technology thereof;
• processing of financial data of natural persons on a large scale in order to be able to disclose such data to other actors for credit information purposes;
• collecting information from social media to profile natural persons and then target marketing to certain selected groups;
• performing background checks prior to recruitment; and
• introducing a common system in which it is possible to report malpractice in the workplace, a so-called whistle-blower system.

IMY has not provided a 'whitelist' in which it exempts certain processing activities from the obligation to carry out a DPIA. IMY has stated that a DPIA is not necessary when processing is not likely to result in a high risk to the rights and freedoms of natural persons and has provided the following two scenarios and subsequent descriptions of processing activities (only available in Swedish here) that probably do not entail such high risk, as follows:

• newsletters; if an online magazine uses a mailing list to send a daily newsletter to its subscribers; and
• e-commerce websites, if an e-commerce website displays ads for used car parts with limited profiling that is based on items displayed or purchased on its own website.

Furthermore, under Chapter 1, Section 7 of the Act, the obligation to carry out a DPIA does not apply to the processing of personal data carried out for journalistic purposes or for academic, artistic, or literary creation. Nor does the obligation to carry out a DPIA apply if such obligation would entail processing of personal data in conflict with the Press Act or the Freedom of Expression Act (see section on data processing records above).

Method

IMY has issued guidance on how to conduct a DPIA (only available in Swedish here) ('the How-To Guidance'), which provides the four basic requirements for the contents of a DPIA as follows:

• a systematic description of the planned processing and the purpose of the processing;
• an assessment of whether the processing is necessary and proportionate to its purpose;
• an assessment of the risks to the rights and freedoms of the data subjects; and
• the measures planned to manage the risks and to demonstrate compliance with the GDPR.

Additionally, the How-To Guidance details that an organization also has to:

• consult with a data protection officer ('DPO'), if it has one; and
• obtain the views of the data subjects or their representatives when appropriate.

In addition, the How-To Guidance specifies that a single impact assessment can be used to assess multiple processing activities that are similar in nature, scope, content, purpose, and risk.

Furthermore, the IMY has also issued guidance on tasks and responsibilities during a DPIA (only available in Swedish here) as well as a form for prior consultation request (only available in Swedish here).

7.5. Data protection officer appointment

In accordance with Article 37(7) of the GDPR, the appointment of a data protection officer ('DPO') must be notified to IMY. The information required by IMY is, inter alia, the name and contact information of the data controller and the DPO. IMY provides a form for this purpose on its website (only available in Swedish here). The form can be submitted to IMY via email to [email protected], or mail to Box 8114, 104 20 Stockholm, Sweden. It is worth noting that IMY does not generally provide feedback on or written confirmation of notifications submitted via email, unless they deem it necessary to reach out to the organization to verify the notification. Thus, to ensure that the registration of a DPO has been carried out, the submitter may need to reach out to IMY to verify this.

Additionally, IMY has issued guidelines on DPO announcement which provide that an organization must inform everyone who works in or for the organisation and everyone for whom it has registered personal data of the DPO's name, contact details, and the DPO's tasks.

Although not strictly related to the appointment of a DPO, it is worth noting that a DPO may not improperly disclose what they have become aware of in the exercise of their role. In public authority activities, the Public Access to Information and Secrecy Act (SFS 2009:400) (only available in Swedish here) ('the Public Access Act') does nevertheless apply.

Moreover, IMY has issued guidelines on when a DPO should be appointed (only available in Swedish here) in which IMY recommends that organizations appoint a DPO if they perform tasks of general interests, or perform tasks that include the exercise of public authority.

7.6. Data breach notification

There are no variations from the GDPR. A data breach shall be notified to IMY by filling out a form on its website (here).

7.7. Data retention

There are no variations from the GDPR. It should however be noted that requirements for retaining specific types of documents which may contain personal data are present in other acts of legislation. For example, the Swedish Bookkeeping Act (SFS 1999:1078) (only available in Swedish here) stipulates that certain financial information and documents, e.g. invoices, must be retained for seven years. There are also legal requirements to retain information related to employment.

7.8. Children's data

Chapter 2, Section 4 of the Act contains a provision which states that when information society services are offered directly to children living in Sweden, the processing of personal data may be based on a child's consent if the child is 13 years or older. If a child is below 13 years of age, the processing of personal data based on consent is permitted only if consent is given or approved by the person who is the child's legal guardian.

Swedish children over the age of 16 also have a certain legal capacity to enter into agreements. Thus, according to IMY, children over the age of 16 should be able to give consent to processing of their personal data.

For children of ages 13-16, the validity of their consent has to be evaluated on a case-by-case basis. Aspects to take into account during such an evaluation are e.g. the age of the data subject, if the data is assessed as belonging to a special category of personal data, duration of the processing, purpose etc. Further, in order for children to properly understand what the processing of their personal data entails and to allow them to make an informed decision, information about the processing of their personal data must be clear, accessible, and easy to understand from a child's perspective.

7.9. Special categories of personal data

Special categories of personal data

Under Swedish supplementary legislation, there are no variations as regards the definition of special categories of personal data.

According to Chapter 3, Sections 2 and 3 of the Act, the processing of special categories of personal data is permitted when the processing is necessary for a data subject or data controller to exercise rights or obligations within the area of labor law, social protection, or social security. If the data controller is a public authority, special categories of personal data may be processed if:

• it was provided to the authority and the processing is required by law;
• if it is necessary for the processing of a case; or
• if it is necessary in the public interest and does not constitute an improper violation of privacy.

Provisions specific to different sectors may also apply as regards public authorities' processing of special categories of personal data.

Special categories of personal data may only be transferred to a third party once expressed consent is obtained or if there is an obligation within labor law or in the areas of social security and social protection to transfer the data, see further under section on data transfers above. 

According to Chapter 3, Section 5 of the Act, special categories of personal data may be processed within the health, medical, and social care systems, if it is necessary for:

• preventive health and medical care measures and occupational medicine;
• assessing the working capacity of an employee;
• medical diagnoses;
• providing health and medical care or treatment;
• social care; or
• managing health and medical or social care systems and services.

However, it is required that the processing is subject to confidentiality.

Special categories of personal data may also be processed for archiving purposes, as required under provisions on archives, or other provisions issued by governmental authorities allowing data controllers to process special categories of personal data of public interest (Chapter 3, Section 6 of the Act). Special categories of personal data may also in some cases be processed for statistical purposes, if the interest to do so clearly outweighs the risk of improper violation of privacy (Chapter 3, Section 7 of the Act).

Lastly, personal identity numbers may only be processed without the data subject's explicit consent if it is clearly justified, taking into account the purpose, the importance of identification and other significant reasons (Chapter 3, Section 10 of the Act).

Criminal conviction data

'Criminal conviction data' is defined by IMY as information relating to someone who:

• has committed a crime;
• has been convicted in court in a criminal case;
• has been subject to so-called criminal coercive measures, such as detention, travel bans, or seizures; or
• is a crime suspect (even if no legal proceedings have been initiated).

As a main rule, the processing of criminal conviction data is reserved for public authorities only. Criminal conviction data may however also be processed by other data controllers, if the processing is necessary in order to comply with archiving provisions (Chapter 3, Section 8 of the Act). The requirement of the processing being 'necessary' does not mean that the processing must be unavoidable. An increase in efficiency might for example be a sufficient argument as to why a certain processing activity is deemed necessary. Specific provisions on archives can, inter alia, be found in the Swedish Archive Act (SFS 1990:782) (only available in Swedish here) as well as in the Swedish Archive Ordinance (SFS 1991:446) (only available in Swedish here).

Additionally, criminal conviction data may also be processed by others than public authorities if the processing is necessary to establish, assert, or defend a legal claim, or if the processing is necessary in order to comply with a legal obligation under a law or regulation (Section 5 of the Ordinance). IMY has, however, stated that it is not permitted to process criminal conviction data on the basis of a data subject's consent.

According to the IMY Regulations there are possible exceptions to the main rule that only public authorities may process criminal conviction data. The exceptions apply to the following situations:

• when necessary to comply with statutes applicable to social services;
• in the line of certain educational organizations' care for students;
• as part of conflict checks carried out within law firms or similar legal practices; and
• relating to individuals in key positions or other positions of leadership included in reports in a whistleblowing system.

IMY may also, in individual cases and upon application, decide to grant permission for specific processing of criminal conviction data. Notably, it is necessary to obtain such permission for the processing of criminal conviction data related to screening of individuals against third-country sanction lists (e.g. sanctions imposed by the US). The first permission (DI-2018-12122) was granted in September 2019 to the Swedish Security and Defence Industry Association, allowing its members to process criminal conviction data as part of screenings against sanctions imposed by the US. Since then, several permissions have been granted by IMY, most of them relating to screenings against sanctions imposed by the US, for the purpose of complying with anti-money laundering legislation. Further, in September 2022, IMY granted bank permission in Decision (DI-2021-2183) (only available in Swedish here) to process criminal conviction data as part of the bank's efforts to comply with Swedish anti-money laundering legislation. In its decision, IMY emphasized that the provisions in the Swedish anti-money laundering legislation are too vague and imprecise to serve as a lawful ground for the processing of criminal conviction data, and it is necessary to obtain a permission to process the data in question. In October 2022, IMY also granted a company permission in Decision (DI-2021-6010) (only available in Swedish here) to process criminal conviction data as part of its background check service for verifying representatives of legal entities, as well as individual job seekers and consultants. However, the decision is subject to conditions. IMY stipulates that the company may only record personal data regarding criminal offenses committed by individual job seekers and consultants who are being considered for positions or assignments that are susceptible to being exploited for similar offenses, or where the offense is deemed to be of significant relevance to the person's suitability for the role or task.

The Criminal Data Act applies to the processing of personal data carried out by public authorities working with crime prevention tasks, such as the Swedish Police, the Swedish Tax Authority, and the Swedish Customs. The Criminal Data Act is generally based on the same principles as the GDPR.

Under the Criminal Data Act, authorities may only process the personal data needed in order for them to be able to perform tasks relating to their crime-preventive duties, enforce criminal sanctions, and maintain public order and security. The authorities are, however, required to make a clear distinction between the processing of personal data relating to data subjects who are suspected or convicted of an offense, and the processing of personal data relating to those whose personal data is processed for other reasons, e.g. witnesses or relatives.

7.10. Controller and processor contracts

There are no variations from the GDPR.

8. Data Subject Rights

8.1. Right to be informed

There are no variations from the GDPR.

8.2. Right to access

According to Chapter 5, Section 1 of the Act, the right to access is limited if the data controller is prohibited from disclosing the personal data subject to an act or statute, or under a decision issued by a public authority pursuant to an act or statute. If the controller is a private entity, the limitation also applies to information that would have been subject to secrecy under the Public Access Act if the data controller had been a public authority.

Further, according to Chapter 5, Section 2 of the Act, a data subject does not have the right to access personal data included in text that has not yet taken its final form when the request is made, and personal notes or memos. Examples from the Government Prop. 2017/18:105 (p. 202-203) are drafts, memory notes or texts drafted in order to investigate a matter further. Texts that are intended to be updated on a regular basis and are thus never completed are not subject to this exception. Note that data which has been disclosed to a third party; is processed for archiving or statistical purposes; or has been processed over a period of more than one year in running text, is not covered by the aforementioned exception and must be provided when such access is requested.

Lastly, some authorities keeping archives are exempted from the right to access.

8.3. Right to rectification

There are no variations from the GDPR.

8.4. Right to erasure

There are no variations from the GDPR.

8.5. Right to object/opt-out

There are no variations from the GDPR.

8.6. Right to data portability

There are no variations from the GDPR.

8.7. Right not to be subject to automated decision-making

There are no variations from the GDPR.

8.8. Other rights

There are no variations from the GDPR.

9. Penalties

Sweden has not implemented any additional corrective powers for handling non-compliance with the GDPR and Swedish supplementary legislation, other than those set out in Article 58 of the GDPR. For example, Sweden has not criminalized acts of non-compliance with the GDPR. Private entities may thus be subject to administrative sanctions ranging from warnings and reprimands to administrative fines.

IMY has previously published an internal guideline for the use of its corrective powers under Article 58(2) of the GDPR.  However, due to Guideline 04/2022 on the calculation of administrative fines under the GDPR (Version 1.0) (12 May 2022) from the EDPB, IMY has decided to revoke this guideline.

Administrative fines imposed on public authorities

In accordance with Chapter 6, Section 2 of the Act, IMY may impose administrative fines on public authorities.

The fine is a maximum of SEK 5 million (approx. €429,100) for violations stated in Article 83(4) of the GDPR and a maximum of SEK 10 million (approx. €858,200) for violations stated in Articles 83(5) and 83(6) of the GDPR.

Administrative fines for violations of Article 10 of the GDPR

According to Chapter 6, Section 3 of the Act, IMY may impose administrative fines for violations of Article 10 of the GDPR. In such cases, Articles 83(1) to 83(3) in the GDPR apply. The amount of the fine is set pursuant to Article 83(5) of the GDPR.

The right to give an opinion

Under Chapter 6, Section 4 of the Act, an entity that potentially may be subject to a fine on the basis of alleged misconduct has the right to express its opinion on the matter. Administrative fines may not be imposed unless the entity subject to the potential fine has been given the opportunity to give an opinion on the matter within five years from the date of the violation.

9.1 Enforcement decisions

During the first years after the GDPR entered into force, IMY's enforcement decisions focused on rectifying illegitimate processing of personal data resulting from a lack of guidance and precedents. IMY seemed hesitant to impose large administrative fines in such cases, and the consequences of wrongful processing was generally limited to warnings and reprimands, offering the data controllers a chance to rectify their mistakes. However, with time, IMY has become less lenient and has issued administrative fines. Furthermore, IMY has clearly communicated that investigations, and consequently enforcement decisions, will be a focus area for the authority moving forward.

IMY's enforcement decisions have, inter alia, concerned the areas listed below.

• illegitimate video surveillance and use of facial recognition technology;
• illegitimate publishing and processing of special categories of personal data;
• failure to notify affected data subjects and the supervisory authority about a data breach;
• failure to provide information to data subjects;
• failure to ensure an appropriate level of security;
• failure to comply with the obligation to remove a search listing; and
• illegitimate processing of credit information.

Some of the more notable enforcement decisions are listed below.

2019

• In August 2019, IMY imposed its first administrative fine under the GDPR. It was imposed on a municipality in Sweden for using facial recognition to monitor attendance in a school. The school processed special categories of personal data (biometric data) relating to children unlawfully and had also failed to conduct a proper DPIA. IMY considered certain mitigating circumstances (that the use of facial recognition was only carried out for a short trial period of three weeks and was limited to 22 data subjects) when determining the fine which amounted to SEK 200,000 (approx. €17,170).

2020

• In March 2020, Google LLC was fined for not fulfilling its obligations in respect of the right to request delisting. The fine was SEK 75 million (approx. €6.43 million). Google appealed IMY's decision to the Stockholm Administrative Court which affirmed the fine but lowered the amount fined to SEK 52 million (approx. €4.46 million), with reference to the fact that the breach of the regulation only concerned one single individual. Google appealed the Administrative Court's decision to the Court of Appeal, which further lowered the fine to SEK 50 million (approx. €4.29 million). The case was appealed to the Supreme Administrative Court, which decided not to grant leave to appeal.
• In November 2020, the Board of Education in the City of Stockholm was fined SEK 4 million (approx. €343,322) after an investigation performed by IMY showed serious deficiencies in the security of an IT platform processing, inter alia, special categories of personal data and personal data regarding data subjects with protected identity.
• In December 2020, IMY imposed fines against seven healthcare providers due to insufficiencies in how they governed and restricted staff access to their main systems for electronic patient data records. The fines ranged from SEK 2.5 million (approx. €214,700) up to SEK 30 million (approx. €2.57 million). Some of the healthcare providers did not agree with IMY's assessment and decided to appeal. The Stockholm Administrative Court ruled against the applicants but lowered the fine from SEK 30 million (approx. €2.57 million) to SEK 10 million (approx. €858,342). The decision was appealed to the Court of Appeal, which ruled in favour of the applicants; overturning IMY's, as well as Stockholm Administrative Court's, decision. The case has been appealed to the Supreme Administrative Court. 
• In December 2020, IMY fined a public university SEK 550,000 (approx. €47,220) for processing special categories of personal data, concerning topics such as sexual life and health through, inter alia, storage in a cloud service, without sufficiently protecting the personal data.

2021

• In February 2021, IMY fined the Police Authority SEK 2.5 million (approx. €214,700) for using Clearview AI in violation of the Criminal Data Act. IMY concluded that the Police Authority processed biometric data in contravention of the requirements of the Criminal Data Act and should have conducted a DPIA. The Police Authority appealed the decision. The appeal was rejected by the Stockholm Administrative Court. However, the decision to reject the appeal and IMY's decision was set aside by the Court of Appeal, which ruled in favor of the Police Authority. The case has been appealed to the Supreme Administrative Court.
• In June 2021, IMY fined a provider of telephone healthcare advice SEK 12 million (approx. €1.1 million) for processing calls with future patients on an unsecured server. A total of three companies and three regional authorities were implicated in the matter, resulting in fines for one additional company and the three regional authorities. The regional authorities were found to be in breach of their notification obligations.
• In June 2021, IMY fined the public transport company in Stockholm ('SL') SEK 16 million (approx. €1.37 million) for placing body cameras on ticket controllers. SL was found to be in breach of the fundamental principles of Articles 5(1)(a) and 5(1)(c) of the GDPR, lacked a legal basis for processing personal data on passengers, and failed to inform the passengers of the data processing. SL appealed the decision. The Stockholm Administrative Court partially upheld the appeal and reduced the administrative fee to SEK 12 million (approx. €1.37 million). The appeal was otherwise rejected. IMY appealed the decision of the Administrative Court. The Court of Appeal overturned the decision of the Administrative Court and IMY's decision with respect to the fee for lack of information to the registered parties and set the fee to SEK 8 million (approx. €686,850). The appeal was otherwise rejected.
• In December 2021, IMY identified that a data broker was supplying credit reports without verifying that the personal data was correct and up to date. IMY ordered the company to comply with the accuracy provisions in Article 5(1)(d) of the GDPR. The data broker has appealed the order.
• In December 2021, IMY reprimanded Spotify AB for not rectifying a customer's information in a timely manner and because a customer service representative did not provide a copy of the data subject's personal data. The decision has been appealed by Spotify.

2022

• In March 2022, IMY imposed a SEK 7.5 million (approx. €643,923) fine against Klarna AB for not informing data subjects of its processing activities and data retention periods in a sufficiently clear manner. The decision has been appealed by Klarna.

2023

• In January 2023, IMY issued a SEK 200,000 (approx. €17,170) administrative fine against Region Dalarna for sending appointment letters by mail to patients with sensitive personal data visible in window envelopes. The decision has been appealed by Region Dalarna.