1. Governing Texts

Due to Sweden's EU membership, the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') is directly applicable in Sweden. The GDPR is the main governing act regarding the processing of personal data in almost all sectors. Prior to the adoption of the GDPR, Sweden already had numerous statutes in place for the protection of personal data within the health and pharmaceutical sector. These statutes have now been reviewed in light of the GDPR and amended accordingly. The GDPR thus acts as the main governing act for data protection in the health and pharmaceutical sector, with other statutes complementing it.

1.1. Legislation

The following acts are the key governing acts concerning the health and pharmaceutical sector, which are relevant to privacy and data protection:

• Patient Data Act (2008:355) (only available in Swedish here);
• Patient Safety Act (2010:659) (only available in Swedish here);
• Health and Medical Services Act (2017:30) (only available in Swedish here);
• Medicinal Products Act (2015:315) (only available in Swedish here);
• Pharmacy Data Act (2009:367) (only available in Swedish here);
• Biobanks in Medical Care Act (2002:297) (only available in Swedish here);
• Ethical Review Act (2003:460) (only available in Swedish here);
• Complementing Act of Regulation (EU) No. 536/2014 on Clinical Trials on Medicinal Products for Human Use (2018:1091) (only available in Swedish here);
• Genetic Integrity Act (2006:351) (only available in Swedish here); and
• Swedish Act with Supplementary Rules to the GDPR (2018:218) (official Swedish version available here; unofficial English version available here) ('the Data Protection Act').

In addition to the abovementioned acts, each responsible authority may issue supplemental regulations that must be adhered to. Except for what is stated below, these regulations will not be explained further in this Guidance Note. 

1.2. Supervisory authorities

The Swedish Authority for Privacy Protection ('IMY') (previously named Datainspektionen) has the overall responsibility for enforcing data protection and privacy rights of data subjects, particularly enforcement of the GDPR. Additionally, the IMY has the mandate to issue regulations in several sector-specific areas, including in the health and pharmaceutical sector.

Pursuant to the Patient Safety Act, the Health and Social Care Inspectorate ('IVO') is responsible for supervising healthcare and healthcare staff. IVO is also responsible for some applications regarding patients' privacy rights made in accordance with the Patient Data Act.

The Swedish Medical Products Agency ('MPA') issues authorisations to perform clinical trials. The MPA also carries out monitoring to ensure that clinical trials are performed in accordance with Good Clinical Practice ('GCP'). When Regulation (EU) No. 536/2014 of 16 April 2014 on Clinical Trials on Medicinal Products for Human Use ('the Clinical Trials Regulation') applies, the MPA will monitor its compliance. The Clinical Trials Regulation will apply as of 31 January 2022. Additionally, the MPA has the authority to issue and enforce regulations in many areas concerning healthcare, medical devices, and pharmaceuticals.

The National Board of Health and Welfare ('Socialstyrelsen') has the authority to, after consulting the IMY, issue certain regulations concerning the Patient Data Act. Socialstyrelsen also has the authority to permit genetic examinations.

The Swedish Ethical Review Authority ('Etikprövningsmyndigheten') examines and authorises applications on research which is subject to the scope of the Ethical Review Act. Etikprövningsmyndigheten is also responsible for reviewing certain legal questions in connection with the establishment of biobanks. For these purposes, Etikprövningsmyndigheten is divided into several operating regions and departments, each reviewing applications within their different fields of research.

1.3. Guidelines

Relevant guidelines

The IMY has published numerous guidelines concerning the processing of personal data in Sweden. Some of these specifically concern the health and pharmaceutical sector. These guidelines and general guidance are accessible in Swedish on the IMY's website here. Some of the guidelines are also available in English here. The following guidelines are particularly relevant in the health and pharmaceutical sector:

• Guidelines on how to prevent unauthorised spread of patient data;
• Guidelines on the Patient Data Act (only available in Swedish here); and
• Guidelines on special categories of personal data.

The European Data Protection Board ('EDPB') has adopted several guidelines and opinions concerning the application of the GDPR which are relevant in the health and pharmaceutical sector. Since the GDPR acts as the main legal act for data protection in the health and pharmaceutical sector in Sweden, whereas other statutes complement it, the guidelines from the EDPB are also of great importance.

Notable decisions

In Decision No. 1713-2013 (only available in Swedish here), the IMY ordered Uppsala University to produce a written policy on how, and under what circumstances, researchers must handle integrity-sensitive data (i.e. special categories of personal data) in emails in relation to a clinical trial. The IMY concluded that it is not enough to only state that emails containing sensitive data must be encrypted, the policy must also contain clear information on what encryption is and how the users should make sure that emails are encrypted. It should be clear from the policy what it concerns, who it applies to, and when and how it should be applied.

In Decision No. 143-2017 (only available in Swedish here), the IMY concluded that the Elderly Committee of Uppsala municipality was processing personal data in breach of Article 32 of the GDPR. The operations carried out were within the definition of healthcare treatment, consequently, the Patient Data Act was applicable. The IMY stated that a care provider must make sure to limit healthcare personnel's access to patients' personal data to what is necessary in order for the healthcare personnel to be able to carry out their tasks. Additionally, a needs and risk analysis must be conducted in accordance with Chapter 4, Section 2 of the Regulation HSLF-FS 2016:40 (only available in Swedish here). The Elderly Committee had provided all licensed personnel with access to almost all health records and without conducting a proper needs and risk analysis. The Elderly Committee consequently failed to limit the access in accordance with Article 32 of the GDPR as well as the Patient Data Act and Regulation HSLF-FS 2016:40. Additionally, the Elderly Committee failed to implement sufficient technical measures in order to fulfil the data subjects' right to block documentation relating to their healthcare, which consequently constituted a breach of Article 32 of the GDPR.

In Decision No. DI-2020-1539 (only available in Swedish here), the IMY ordered the Healthcare Committee of Örebro County to pay an administrative fine of SEK 120,000 (approx. €12,120) for infringing Article 5, 6, 9 and 32 of the GDPR. The County had published information on their website regarding a data subject being admitted to a forensic psychiatric clinic and that the data subject was subject to urine sampling (i.e. special categories of personal data) without any specific purpose or applicable legal basis for the processing. Social security numbers had also been published without obtaining consent from the data subject prior to the processing, as required by Chapter 3, Section 10 of the Data Protection Act. The IMY also concluded that the Healthcare Committee lacked sufficient technical and organisational measures for handling personal data on its website, as required by Article 32 of the GDPR. Further, the IMY instructed the Healthcare Committee to set up an instruction on who is responsible for how and when to publish personal data as well as other routines in connection with this, while also ensuring that publishing will only be made in accordance with such instructions.

In a number of decisions (see links below), the IMY audited eight different care providers in a joint investigation regarding how the care providers limited their personnel's access to medical records. The IMY issued administrative fines of up to SEK 30 million (approx. €3,030,140) in seven of the eight cases for infringing Articles 5(1), 5(2), 32(1) and 32(2) of the GDPR, as well as Chapter 4, Section 2 and Chapter 6, Section 7 of the Patient Data Act and Chapter 4, Section 2 of the Regulation HSLF-FS 2016:40. The seven care providers had all failed to carry out a needs and risk analysis and did not limit the personnel's access to the respective patient journal system to what is strictly necessary for the performance of their tasks, making patient information accessible to employees not in need of such information. As all parties process highly sensitive as well as large amounts of personal data, the fines were set reasonably high. Five of the decisions were later appealed to Förvaltningsrätten ('the Administrative Court'). The Administrative Court rejected four out of the five appealed cases and lowered the administrative fine for one of the appeals (the Administrative Court's joint statement is only available in Swedish here). The decisions from the IMY are provided below:

• DI-2019-3839, Karolinska Universitetssjukhuset (only available in Swedish here);
• DI-2019-3840, Sahlgrenska Universitetssjukhuset (only available in Swedish here);
• DI-2019-3841, Hälso- och sjukvårdsnämnden vid Region Västerbotten (only available in Swedish here);
• DI-2019-3842, Aleris Närsjukvård AB (only available in Swedish here);
• DI-2019-3843, Regionstyrelsen, Region Östergötland (only available in Swedish here);
• DI-2019-3844, Aleris Sjukvård AB (only available in Swedish here);
• DI-2019-3845, Digital Medical Supply Sweden AB (KRY) (only available in Swedish here); and
• DI-2019-3846, Capio S:t Görans Sjukhus AB (only available in Swedish here).

In a number of decisions, the IMY issued administrative fines of up to SEK 12 million (approx. €1,212,020) to several organisations. The IMY initiated the investigation due to an incident where recorded phone calls to the medical consultation service, 1177 Vårdguiden, were available unprotected on the internet. The investigation included six different organisations. 1177 Vårdguiden is a medical service that is offered and owned by all 21 counties in Sweden. Every call to the phone number 1177 is first directed to the company Inera which administers and develops the joint systems. Region Stockholm (a Swedish county), region Sörmland, and region Värmland had outsourced the administration of phone calls from 1177 Vårdguiden to Medhelp AB, who answered the calls. Medhelp had in turn contracted a Thai company to handle calls that came in at night and on weekends. Medhelp and the Thai company had also entered into a contract with a technology company, Voice Integrate Nordic AB, for switchboard functionality and recording of phone calls. Medhelp was fined SEK 12,000,000 (approx. €1,212,020) for not ensuring that unauthorised persons could not get access to personal data, in this case voice recordings, and for not informing the data subjects of the processing of their personal data according to the GDPR.

Furthermore, Medhelp had outsourced tasks involving health and medical care and processing of personal data to the Thai company in breach of the GDPR, since the Thai company did not fall under Swedish legislation on health and medical care nor under an obligation of secrecy laid down by law. Voice Integrate Nordic was fined SEK 650,000 (approx. €65,650) for not implementing appropriate security measures. All three regions were fined SEK 500,000 (approx. €50,500), SEK 250,000 (approx. €25,250) and SEK 250,000 (approx. €25,250) respectively for not having provided sufficient information to the data subjects. No action was taken in relation to Inera. The decisions have been appealed to the Administrative Court, where judgment is pending. The decisions from the IMY are available below:

• DI-2019-3375, Medhelp (only available in Swedish here);
• DI-2019-2488, Voice Integrate Nordic (only available in Swedish here);
• DI-2019-2900, Inera (only available in Swedish here);
• DI-2019-7325, Region Värmland (only available in Swedish here);
• DI-2019-7323, Region Sörmland (only available in Swedish here); and
• DI-2019-7321, Region Stockholm (only available in Swedish here).

1.4. Definitions

Sensitive/special categories of personal data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation (Article 9(1) of the GDPR).

The IMY has produced additional examples of personal data that can be viewed as integrity-sensitive data, including information on salaries, offenses, assessment of personal characteristics by, for instance, an employer, information of a person's private sphere and information on social relations. Such data sometimes require that higher security measures are implemented. They could also affect the risk assessment when performing a Data Protection Impact Assessment ('DPIA') according to Article 35 of the GDPR and could be decisive for whether you have to report a personal data breach.

According to Chapter 3, Section 10 of the Data Protection Act, social security numbers and coordination numbers are also viewed as integrity-sensitive data.

Biometric data: Personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (Article 4(14) of the GDPR).

Genetic data: Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question (Article 4(13) of the GDPR).

Genetic information: Information about the result of a genetic examination, however, not such information that only consists of an enlightenment of the examinee's current state of health (Chapter 1, Section 5 of the Genetic Integrity Act).

Data concerning health: Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his/her health status (Article 4(15) of the GDPR).

The IMY has given a few examples of what is included in the term 'data concerning health': data from tests or examinations, and data on diseases, risk for disease, medical history, and data on medical disabilities irrespective of what source they derive from.

Research: According to Recital 159 of the GDPR, a broad definition of 'scientific research' has been adopted, including for instance 'technological development and demonstration, fundamental research, applied research and privately funded research'.

In Section 2 of the Ethical Review Act, research is defined as 'scientific experimental or theoretical work or scientific studies by observation, if the work or studies are performed to acquire new knowledge, and development work on a scientific basis, however, not such work or studies carried out only within the framework of higher education at first cycle [i.e. undergraduate] or at advanced level'. The Ethical Review Act applies to any research which involves processing of personal data according to Article 9(1) of the GDPR and which is conducted within the Swedish territory.

Consent: Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (Article 4(11) of the GDPR).

The conditions for valid consent are clarified in Article 7 and Recital 32 of the GDPR. In short, consent can only be valid if the data subject 'is offered control and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment'.

There are some specific requirements regarding consent in relation to clinical trials and clinical research. The requirements for such consent are described further in section 2.1.1. below. Furthermore, specific requirements apply for consent in relation to biobanking, which are described further in section 4.

Biobank: Biological material from one or more human beings that is collected and preserved for an indefinite or limited period, and whose origin is traceable to an individual or individuals (Chapter 1, Section 2 of the Biobanks in Medical Care Act).

2. Clinical Research and Clinical Trials

Currently, clinical research and clinical trials in Sweden are mainly regulated within the Medicinal Products Act and the Ethical Review Act. These acts are based on Directive 2001/20/EC on Implementation of Good Clinical Practice in the Conduct of Clinical Trials on Medicinal Products for Human Use and Directive 2001/83/EU on the Community Code relating to Medicinal Products for Human Use. The EU has since adopted the Clinical Trials Regulation, which entered into force in June 2014 and which will constitute a major change in how clinical trials are conducted within the EU. The application of the Clinical Trials Regulation was pending the development of a fully functional EU clinical trials portal and database known as the Clinical Trials Information System ('CTIS'), which was postponed due to technical difficulties. The system is now expected to be in full force as of 31 January 2022. This further means that the Clinical Trials Regulation will start to apply on 31 January 2022, together with complementing acts in Sweden. In brief, the Clinical Trials Regulation will require an application for a clinical trial to be submitted through the CTIS. After an application has been submitted through the CTIS, all communication between sponsors (i.e. the individual, institution, company or organisation that is responsible for initiating, managing or financing the clinical trial, but does not actually conduct the investigation) and the Member State(s) concerned will go through the CTIS. Each concerned Member State will grant permissions, announce conditions attached to the permissions, or deny permissions, in one single decision only. The portal will be maintained by the European Medicines Agency ('EMA').

Swedish-specific legislation

Clinical trials

All clinical trials in Sweden are currently registered in the European Clinical Trial Register (EudraCT). In order to apply for a clinical trial, one must obtain an EudraCT-number. As stated above, the CTIS will go live in January 2022, but the EMA foresees a three-year transition period until full transfer to the CTIS.

According to Chapter 7, Section 9 of the Medicinal Products Act, a clinical trial may only be conducted if it has been approved by the MPA prior to commencing the trial. Additionally, an approval from Etikprövningsmyndigheten must also be acquired in most cases where humans are involved as trial subjects.

According to Chapter 7, Section 1 of the Medicinal Products Act, a clinical trial must be conducted by a licensed doctor. The doctor must be competent enough in the specific field of research. According to the MPA's Regulations on Clinical Drugs Trials on Humans (LVFS 2011:19) (only available in Swedish here) ('LVFS 2011:19'), the performer of the clinical trial must have an education in GCP, documented experience of previous participation in clinical trials, and good knowledge of the trial drug. Additionally, both the international standard ISO 14155:2020 on GCP and the principles laid out in the World Medical Association Declaration of Helsinki on Ethical Principles for Medical Research Involving Human Subjects ('the Helsinki Declaration') must be adhered to.

It is of fundamental importance that the trial is conducted in accordance with the permitted protocol. In order to make essential changes to the trial, a new permission from the MPA and Etikprövningsmyndigheten must be obtained.

According to Chapter 8 of LVFS 2011:19, the MPA and Etikprövningsmyndigheten must be informed of all urgent safety measures taken during the trial. The sponsor must also report suspected serious and unpredicted side effects that are life threatening or have caused death to a trial subject. Such reporting must be done by the latest within seven days after the sponsor became aware of the side effect. Other suspected serious and unpredicted side effects shall be reported within 15 days after the sponsor became aware of the side effect. The sponsor must also immediately report violations of applicable regulations or deviations from the trial-protocol that in any essential way could affect the trial subjects' integrity, safety, or the scientific value of the trial. The principal investigator also has a responsibility to report all serious incidents (except those incidents which according to the trial-protocol does not call for immediate reporting) to the sponsor, which the sponsor must document.

While the clinical trial is ongoing and once a year, a report concerning the trial subjects' safety together with a list of all suspected serious side effects must be sent to the MPA and Etikprövningsmyndigheten. Furthermore, within 90 days after the trial has been fully completed, the MPA and Etikprövningsmyndigheten must be informed that the trial has ended. A summary report of the trial must be sent to the MPA 12 months after the end of the trial.

Clinical research

The Ethical Review Act is applicable to research that includes processing of such personal data as is referred to in Article 9(1) of the GDPR (i.e. special categories of personal data). The Ethical Review Act is also applicable on research that, inter alia, involves physical intervention on the research subject, involves studies on a biological material that has been taken from a human and which can be traced back to this human, and on research conducted in accordance with a method aiming to affect the research subject physically or mentally.

According to Section 6 of the Ethical Review Act, the research must be approved in order to be conducted. The applications, which are to be found on Etikprövningsmyndigheten's website (only available in Swedish here) shall be sent to Etikprövningsmyndigheten. An approved application ceases to be valid unless the research has begun no later than two years since the approval became legally binding.

There are some general requirements that must be fulfilled in order for clinical research to be approved, which are outlined in Sections 7 to 11a in the Ethical Review Act. These requirements include, inter alia, that human rights and freedoms are to be respected, the risks of the research concerning the research subject's health, security, and personal integrity must be compensated for by the scientific value of the research, the expected scientific result cannot be achieved in any other way that would include fewer risks for the research subject and processing of special categories of personal data may only be approved if it is necessary in order for the research to be carried out.

2.1. Data collection and retention

The nature of data collected and processed necessitates a case-by-case analysis of each processing activity. This analysis must be performed by the controller and be re-assessed. The nature of clinical trials widely concerns the trial subject's health, genetic, and biometric data, which are all viewed as special categories of personal data according to Article 9(1) of the GDPR. Processing of such data is permitted under certain circumstances laid out in the GDPR. Most notably, such data can be processed in accordance with the GDPR if the data is processed by or under the responsibility of a professional who is subject to an obligation of secrecy. According to the Public Access to Information and Secrecy Act (2009:400) (only available in Swedish here) and Chapter 6, Sections 12-13 of the Patient Safety Act, secrecy applies to all data about people's health and medical situation within Swedish healthcare.

According to Article 5(1)(b) of the GDPR, personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Section 10 of the Ethical Review Act corresponds to what is already stated in the GDPR, declaring that the processing of special categories of personal data is only permitted if it is necessary in order to be able to conduct the research. Further processing for scientific purposes may not be incompatible with the initial purpose(s) of the processing. The data may not be processed for a longer period of time than what is necessary for achieving the purposes the personal data were initially collected for. However, processing for scientific research purposes may be stored for a longer period of time if appropriate technical and organisational measures are in place, securing proper safeguards for the data subject, particularly in order to comply with the principle of data minimisation.

When data subjects are being cared for within a clinical trial, the Patient Data Act must be adhered to. Information processed within the healthcare sector must be organised in such a way as to ensure patient safety and good quality as well as being cost effective. Personal data must be processed with respect to the integrity of the data subject's data and collected personal data must be stored in a way that prevents unauthorised access. There is also an obligation to keep health records of each patient and such records must include information that is needed in order to maintain a good and safe treatment of the patient. Chapter 3, Section 6 of the Patient Data Act contains a full list of what needs to be included in the health records. Health records must be kept for at least ten years after the last data input, however, the Socialstyrelsen may regulate longer retention times for certain health records.

In order to process and further use personal data collected in a clinical trial for scientific purposes other than the ones defined by the clinical trial protocol, another specific legal basis than the one initially used to conduct the trial is required. For the time being, the EDPB considers, as addressed in Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation, the so-called presumption of compatibility under Article 5(1)(b) of the GDPR to be applicable, which allows for further processing for, inter alia, scientific and research purposes, provided that adequate safeguards according to Article 89 of the GDPR are met.

According to Article 7(3) of the GDPR, if previously given consent to processing of personal data exists, all data processing operations that were based on that consent remain lawful. However, in order to justify further processing, another lawful basis must exist. For scientific research, such lawful basis could be that erasing previously processed personal data would likely undo or essentially obstruct the purpose of the project.

2.2. Consent

According to Chapter 7 of the Medicinal Products Act, clinical trials require the explicit consent of the trial subject. Further, the trial subject must have been duly informed about the study, the risks involved, and about his/her right to withdraw from the trial at any time and with immediate effect.

Consent to participation in a clinical trial for minors (i.e. under 18 years of age) must be given by their legal guardians. The minor's attitude towards the trial shall as far as possible be clarified. Even with the consent of the minor's legal guardians, the trial may not be conducted if the minor recognises the implications of the trial and objects to the clinical trial being performed. The same applies for clinical research.

According to the Ethical Review Act, a clinical research must comply with the provisions on information and consent. In terms of information, the research subject must be provided with information on how the project is planned to be conducted and the risks associated with it, as well as the purpose of the research. Regarding the consent, the research subject must consent to the research in a freely, precise and explicit manner. The consent must also be in written form.

Within a clinical research, an informed consent (as provided for in the Helsinki Declaration) must also be collected and documented. The consent to participate in research or a trial, and the consent to process personal data within the trial must be viewed separately. The informed consent according to the Helsinki Declaration must include the subjects' right to be adequately informed of the aims, methods, sources of funding, any possible conflicts of interest, institutional affiliations of the researcher, the anticipated benefits and potential risks of the study and the discomfort it may entail, post-study provisions and any other relevant aspects of the study. Additionally, the potential subject must be informed of the right to refuse to participate in the study or to withdraw its consent to participate at any time without reprisal. All subjects to the research should also be given the option of being informed about the general outcome and results of the study.

According to the Ethical Review Act, and regarding clinical research on minors, if the research subject has turned 15 but not 18, he/she must be informed about the implications of the research as well as give his/her consent to the research. If the person is under 18 years of age without having turned at least 15, the legal guardians must be informed about, and consent to the research. If the person lacks capacity to consent due to disease, mental disorder or similar, research may be conducted without consent, provided that the research is expected to provide certain knowledge which is impossible to achieve with consent, and the research subject is expected to gain direct benefits from the research. The latter can also be achieved by having other persons that are suffering from similar conditions gaining benefits from the research, provided that the research involves insignificant risks and discomfort for the research subject. The research may not be conducted if the research subject in any form expresses his/her discomfort towards the research.

Within Swedish healthcare, some personal data relating to health can be processed even if the patient objects to the processing. According to Chapter 2, Section 4 of the Patient Data Act, this is data relating to, for instance, administration of health records, administration with the purpose of providing care for the patient and producing statistics within the healthcare sector.

2.3. Data obtained from third parties

No further information.

3. Pharmacovigilance

According to Chapter 6, Section 2 of the Medicinal Products Act, anyone having a medicinal product approved for sale must have established a system for safety surveillance. Regarding the safety surveillance system, a detailed description of that system must be maintained by the holder of the approved medicinal product, i.e. a 'master file'. At the request of the MPA, a copy of the master file must be sent to the agency within seven days.

The holder is obliged to stay updated within the pharmaceutical sector, and to have at its disposal an expert with sufficient competence who is continuously responsible for safety-monitoring the medicinal product. This expert must be resident and active within the European Economic Area ('EEA'). The holder is obliged to send the name and contact details of this expert to both the EMA and the MPA.

As part of the safety surveillance of a medicinal product, the holder of the product must also register, store, evaluate, and report information on suspected adverse reactions in accordance with the Medicinal Products Regulation issued by the government as well as the regulations issued by the MPA, mainly the MPA Regulations on Safety Monitoring of Medical Products for Human Use (LVFS 2012:14) (only available in Swedish here) ('LVFS 2012:14') and the MPA Regulations on Parallel Imported Drugs (LVFS 2012:19) (only available in Swedish here) ('LVFS 2012:19'). According to Section 9 of LVFS 2012:14, the holder must electronically report the following to the EudraVigilance database ('EudraVigilance'):

• within 15 days, all suspected serious adverse reactions which have occurred within the EEA or a third country; and
• within 90 days, all suspected non-serious adverse reactions which have occurred within the EEA.

The holder must also make sure all the received information regarding the scientific evaluation of the reports on adverse reactions is exact and possible to verify. Follow-up information on the adverse reaction reports must be collected and reported to the EudraVigilance.

Further, the holder must submit periodic safety reports to the EMA. According to Section 11 of LVFS 2012:14, the periodic safety reports must contain, inter alia, a summary on the relevant information regarding evaluation of the benefits and risks of the medicinal product, a scientific evaluation of the benefits and risks of the medicinal product and full information on the quantities sold and the prescriptions made.

According to Section 19 of LVFS 2012:14, healthcare providers must also report all suspected adverse reactions of medicinal products to the MPA.

The EMA has produced several guidelines for Good Pharmacovigilance Practices (GVP).

4. Biobanking

Establishment and conditions of biobanking activities are mainly regulated within the Biobanks in the Medical Care Act, which complements the GDPR regarding processing of personal data through a biobank. The storage of tissue samples in a biobank is not viewed as wholly or partly processed by automated means, and consequently, the GDPR does not apply to the actual biobank. However, the Government stated, in the Sweden Government Official Report 2017:66 (only available in Swedish here), that the handling of tissue samples is nonetheless such integrity-sensitive data that it still requires privacy protection equal to what is provided for in the GDPR.

A biobank is established through a decision by a care provider, or some other person or entity to whom tissue samples from a biobank are released, e.g. an institution for research or diagnostics, a pharmaceutical company, a public research institution or another legal entity. According to Chapter 2, Section 2 of the Biobanks in Medical Care Act, a biobank may be used by a care provider for care and treatment as well as other medical purposes. Chapter 2, Section 5 of the Biobanks in Medical Care Act provides that after the decision to establish a biobank has been given, the biobank must be reported to IVO for registration. The report must include:

• the purpose of the biobank;
• where the biobank is stored;
• who is responsible for the biobank; and
• the intended size and scope of the biobank.

The report must be sent to IVO within one month from when the decision on establishment was made. The same applies for any changes made in relation to an earlier report. If tissue samples are to be provided for other than the principal, this must also be reported within a month.

If a biobank is supposed to be used for research or clinical trials, an authorisation from Etikprövningsmyndigheten needs to be obtained. The biobank must be used in line with the conditions set out in Etikprövningsmyndigheten's review according to Sections 7 to 11 of the Ethical Review Act to be approved. When the application of the Clinical Trials Regulation begins, a decision to establish a biobank will only be made after an application has been made in accordance with the Clinical Trials Regulation.

According to the Biobanks in Medical Care Act, a biobank must be stored in such a way that there is no risk of the tissue samples being destroyed or of unauthorised persons gaining access to them. In addition, tissue samples may only be stored after receiving consent from the sample donor. The donor must also be informed of the intentions of the biobank and on what purposes the biobank may be used for. Tissue samples from a minor may only be collected after the parent or guardian of the minor has been informed of the intention and the purposes for which the biobank may be used and the consent by the parent or guardian has been given prior to collecting the samples. All data related to the information given to the donor and the consent must be stored in the donor's health records.

Donors can withdraw their consent at any time, and if the withdrawal concerns all use of the donor's tissue sample, the sample must be destroyed or encrypted. If personal data will be disclosed when simultaneously handing out a coded tissue sample, the personal data must be handed out in a way that ensures that they are unable to be connected with the tissue sample.

IVO keeps an automated register of biobanks and the register is used for supervision, research and statistics.

Records containing personal data, and which are stored in connection to the biobank, do not fall under the definition of a biobank. Thus, the GDPR will apply to processing of such personal data if wholly or partly processed by automated means. Consequently, the responsible controller must make sure to align such processing of personal data with the provisions of the GDPR.

5. Data Management

The obligations and responsibilities regarding data management are governed by the GDPR. The data controller must always adhere to the six principles in Article 5 of the GDPR and make sure the processing of personal data is lawful according to Article 6 of the GDPR.

The GDPR provides that the data controller shall implement appropriate technical and organisational measures to ensure, and to be able to demonstrate, that processing is performed in accordance with the GDPR. This must be done in a manner considering the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. Where appropriate considering the above, pseudonymisation could be used to ensure the principle of data minimisation. Article 32 of the GDPR provides a non-exhaustive list of technical and organisational measures to ensure the level of security is appropriate to the risk:

• the pseudonymisation and encryption of personal data;
• the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
• a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

According to Article 37 of the GDPR, a data protection officer ('DPO') must be designated when special categories of personal data are processed on a large scale. The DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks set out in Article 39 of the GDPR. Within the Swedish healthcare sector, this will be the care provider.

As mentioned above, processing of personal data within healthcare shall be organised so that it ensures patient safety and patients' and other data subjects' integrity shall be respected. It is important that documented personal data are handled and stored so that unauthorised access is prevented. Furthermore, and as described above, when providing care for patients, health records for each patient must be kept in accordance with Chapter 3 of the Patient Data Act. Access to information about a patient must be carefully considered by the care provider and must be controlled regularly. Only healthcare personnel may be given access to documented data about a patient and only if he or she is participating in the care provided to the patient or for any other reason need the information to be able to conduct his/her work. Furthermore, there is a possibility for several care providers to give and be given direct access to each other's electronic health records if the requirements of the Patient Data Act are fulfilled. A care provider may process personal data that another care provider has made accessible if the information concerns a patient for whom there exists a current patient relationship, the information can be assumed to have importance as regards the prevention, investigation and treatment of diseases and injuries that the patient is suffering from within health and medical care, and the patient consents to it. Before such access is made, the patient must be informed and be given the possibility to object. According to Chapter 4, Section 1 of the Biobanks in Medical Care Act, the person responsible for the biobank will decide upon disclosure of samples stored in a biobank. Since the sample donor must have been informed on the purpose of the biobank for which the sample donor has donated tissues, the responsible person of the biobank must not obtain the donor's consent for processing the samples, i.e. to pass the samples for research. In order to pass samples of tissues on to a recipient outside of Sweden for research purposes, a Swedish research institution must submit an application. If this application is approved, a condition shall be placed on the recipient in the foreign country that the samples are to be returned or destroyed when they are no longer needed for the purpose for which they were disclosed. Tissue samples may not be disclosed to another country in any other way than this. Moreover, disclosed tissue samples must either be depersonalised or encrypted, unless otherwise decided. Code keys must be kept on the premises of the care provider who decided to collect and store the tissue samples in a biobank. Furthermore, health records within the healthcare sector can only be handed out if the patient has given its consent.

If the tissue donor's personal data is simultaneously handed out together with an encrypted tissue sample from the donor, they must be handed out in a way ensuring that the two cannot be connected. A care provider must hand out personal data which is to be inserted into a register stored in connection to a biobank at another care provider. However, this only applies if the data subject has been informed and given explicit consent.

6. Outsourcing

Where the processing is to be carried out on behalf of a controller, i.e. outsourcing, Article 28 of the GDPR provides some general requirements. According to Article 28(1) of the GDPR, a controller may only use processors providing sufficient guarantees, particularly in terms of expert knowledge, reliability, and resources, to implement appropriate technical and organisational measures, including security, in such a manner that processing will meet the requirements of the GPDR and ensure the protection of the rights of the data subject. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.

The data controller and the processor must always enter into a data processing agreement setting out the requirements that a processor needs to fulfil in relation to processing activities performed on behalf of a controller. The instructions from the data controller to the processor must be clear enough so that the processor is able to process personal data correctly without at the same time committing a breach of contract. The processor shall not engage another processor without prior specific or general written authorisation of the controller. The IMY has produced a guideline for processors (only available in Swedish here).

Article 32 of the GDPR provides that when implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk, the state of art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons must be considered. Since processing of health data, genetic and biometric data is viewed as special categories of personal data and typically involves higher risks to the rights and freedoms of natural persons, this will affect the level of security needed. Supervisory authorities recommend that appropriate security for health data processed in a cloud service is applied. For instance, appropriate encryption for the data processed in the cloud service is an important consideration when processing special categories of personal data, such as health data or genetic data. Pseudonymisation could also be used.

Due to a report from the Swedish Government published in January 2021, there is an ongoing debate in Sweden regarding the use of cloud services for public healthcare providers and the possibility to outsource IT operations to non-EU companies. According to some recommendations and interpretations of the report and the current legal landscape in Sweden, outsourcing of IT operations to a cloud service provider in a country outside the EU/EEA would mean that information is unlawfully disclosed according to the Swedish Public Access to Information and Secrecy Act, irrespective of whether the information is encrypted or protected by other measures.

7. Data Transfers

Since all EU Member States are obliged to follow the GDPR, transfer of data within the EU must adhere to the principles and rules of the GDPR, consequently ensuring the protection of privacy rights for data subjects. The GDPR restricts the transfer of personal data outside of the EU/EEA. Personal data can only be transferred outside of the EU/EEA to third countries or international organisations if the conditions for transfer set out in Chapter V (Articles 44 to 50) of the GDPR are complied with.

In Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case C-311/18) ('Schrems II'), the Court of Justice of the European Union ('CJEU') declared the EU -US Privacy Shield invalid and clarified requirements for transfers of personal data based on Standard Contractual Clauses ('SCCs'). In short, the CJEU stated that controllers or processors that intend to transfer data based on SCCs must ensure that the data subject is granted a level of protection essentially equivalent to that guaranteed within the EU through the GDPR and the Charter of Fundamental Rights of the European Union. Failing that, transfer of personal data outside the EU must be suspended. From the Schrems II judgment, it is clear that it is not sufficient for a controller to enter into SCCs with the importer (which usually is a processor), of the personal data, but a controller must also assess whether there is anything in the legal system in the country of the importer that could undermine the level of protection that the SCCs aim to provide. If such an assessment reveals that the legal system in the country of the importer impinges on the effectiveness of the SCCs, the transfer may still be permitted if (i) sufficient supplementary measures (technical, organisational, and contractual measures) are adopted, or (ii) if it can be shown through viable sources that the legislation in question that impinges on the effectiveness of the SCCs in practice are not applied in relation to the importer and the services provided by the importer. This is further set out in the EDPB's adopted Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. The EDPB states in its recommendations that a transfer may proceed if the controller has conducted a risk-based assessment and concluded that there is no reason to believe that any problematic legislation will be applied, in practice, to the transferred personal data and/or the importer.

8. Breach Notification

A personal data breach is a security incident that can constitute risks for natural persons' freedoms and rights. Articles 33 and 34 of the GDPR provide that the data controller must report a personal data breach to the supervisory authority within 72 hours. As for Sweden, the report must be sent to the IMY. The report must, inter alia, include the estimated number of data subjects affected, describe reasonable consequences of the breach and the actions taken or proposed. If the breach is likely to result in high risk for the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subjects without undue delay.

9. Data Subject Rights

The rights of data subjects are primarily regulated within the GDPR. Particularly, these rights include:

• the right to be provided with information about the processing of the data subject's personal data (Articles 13 and 14 of the GDPR);
• the right to access the processed personal data, including information about whether personal data are being processed at all (Article 15 of the GDPR);
• the right to rectification of inaccurate personal data (Article 16 of the GDPR);
• the right to erasure (the right to be forgotten) (Article 17 of the GDPR);
• the right to restriction of processing (Article 18 of the GDPR);
• the right to data portability (Article 20 of the GDPR);
• the right to object to processing (Article 21 of the GDPR); and
• the right to lodge a complaint with a supervisory authority (Article 77 of the GDPR).

Further, Chapter 8 of the Patient Data Act provides that the patient has the right to obtain information stored in his/her health records. The patient may also in some cases, exert the right to have them destroyed. According to Chapter 8, Section 2 of the Patient Data Act, the right to obtain information must not always be complied with. This is assessed by the person responsible for the health records, while IVO decides upon the destruction of health records.

10. Penalties

Breach of an organisation's duties due to the GDPR may result in administrative fines up to €20 million or 4% of the company's annual global turnover, whichever is higher. Article 83 of the GDPR provides information on which kind of breaches may result in fines. The IMY has provided guidelines on how it evaluates and values different kinds of breaches in relation to Article 83 of the GDPR (only available in Swedish here).

According to Chapter 16, Section 1 of the Medicinal Products Act, anyone who, intentionally or through negligence, conducts a clinical trial without permission will be sentenced to pay a fine or imprisonment for a maximum of one year. The same applies for anyone selling medicinal products without permission, manufacturing without permission as well as not taking sufficient precautions when handling medicinal products.

According to Section 38 of the Ethical Review Act, anyone who conducts research within the application of the Ethical Review Act, without having permission or in breach of conditions associated with the permit, will be sentenced to pay a fine or imprisonment for a maximum of one year. Minor offences will not result in penalties.

Chapter 6, Section 1 of the Biobanks in Medical Care Act provides that, inter alia, anyone who, intentionally or through negligence, uses a biobank for other purposes than those permitted within the Biobanks in Medical Care Act, neglects to report the biobank to IVO, neglects to provide the donor with information or to collect a consent, does not destroy or depersonalise tissue samples when required to, or anyone who transfers tissue samples to another country without permission, will be sentenced to pay a fine.

According to Chapter 8, Section 6 of the Genetic Integrity Act, anyone who, with the purpose of making profit, steals, hands over, receives or mediates biological material from a living or dead human being or tissue from an aborted foetus, will be sentenced to pay a fine or imprisonment for a maximum of two years.

11. Other Areas of Interest

Medical devices

The MPA is the administrative and supervisory authority regarding medical devices in Sweden, and the agency is competent to issue regulations in this area. As of 26 May 2022 this will include the new Medical Device Act (2021:600) (only available in Swedish here) and the Regulation HSLF-FS 2021:32 (only available in Swedish here). These Acts will complement the Regulation (EU) 2017/745 on Medical Devices ('MDR'), which the MPA is responsible for enforcing. The MPA will also be responsible for enforcing the Regulation (EU) 2017/746 on In Vitro Diagnostic Medical Devices that will start to apply in May 2022.

Clinical trials in relation to medical devices are regulated in the MDR and the Complementing Act on Ethical Review to the Regulation (EU) 2017/745 on Medical Devices (2021:603) (only available in Swedish here) ('the Complementing Act'). The Complementing Act will start to apply from May 2022.

Digital health records

Socialstyrelsen is a government agency under the Ministry of Health and Social Affairs and is responsible for keeping the national digital health record. The record contains information on patients who has either been:

• cared for in the institutional healthcare;
• treated by a doctor in the non-institutional healthcare and which is not viewed as primary care; or
• treated by a healthcare professional other than doctors in non-institutional psychiatric care.

Anyone conducting healthcare business is obliged to provide Socialstyrelsen with the information above.

Security of network and information systems

The Security of Network and Information Systems Act (2018:1174) (only available in Swedish here) ('NIS Act') entered into force on 1 August 2018 and associated regulations from the Swedish Civil Contingencies Agency ('MSB') entered into force in the months thereafter.

The NIS Act sets out requirements for operators of essential services, for example some operators of healthcare services. Such requirements include taking appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems used for the provision of the essential services. The operator must also implement appropriate measures to prevent and minimise the impact of incidents affecting the security of network and information systems. Furthermore, the operator must, without undue delay, notify the relevant national authority (the MSB) of any incident that has a significant impact on the continuity of the essential services.

According to the NIS Act, operators of essential services within healthcare must, without undue delay, notify IVO of its services. The notification has to include the information that the essential services are operated in two or more EU Member States, if this is the case.

Johan Engdahl Partner
[email protected]
Louise Sundström Senior Associate
[email protected]
Delphi, Göteborg