Since 25 May 2018, the principal data protection legislation in the EU, and therefore in Sweden, is Regulation (EU) 2016/679 (the ‘General Data Protection Regulation’ or ‘GDPR’).
The Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten) is the regulatory authority for data protection in general. The Swedish Post and Telecom Authority (Sw. Post- och telestyrelsen) is the regulatory authority for regulations on telecommunications and cookies.
Special rules in Sweden
Below we describe Swedish rules that companies running business in Sweden, including processing of personal data, must gain knowledge about.
Journalistic purposes etc
The Act stipulates that the provisions of the GDPR and the Act shall not be applicable in case they contradict the provisions of the Freedom of the Press Act (Sw. tryckfrihetsförordningen) and the Fundamental Law on Freedom of Expression (Sw. yttrandefrihetsgrundlagen), which are both part of the Swedish constitution. This means that the media, in their publishing business, does not have to follow the rules in the GDPR. Media has an automatic publisher’s licence (Sw. utgivningsbevis) for their webpages. It is to be noted that any database provider may apply for a voluntary publisher’s licence. This is unique for Sweden.
The Act also provides a similar exemption for the processing of personal data for journalistic purposes and the purposes of academic, artistic or literary expression. Accordingly, the GDPR, and the Act, do not apply to the processing within these fields. The exception does not only apply to professional journalists but to anyone who likes to have a public debate in eg social media or elsewhere.
The Freedom of the Press Act also contains provisions on the right to access official documents, which is a manifestation of the principle of public access to information. The GDPR and the Act shall not apply if they contradict this fundamental right.
In Sweden, the age at which a child can provide valid consent to an offer of information society services is 13 years old. If the child is under 13, the processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Examples of information society services are online content services such as on-demand video services, an online gaming app or search engine that is provided free to the end user but funded through advertising.
The main rule in the GDPR is that only public authorities may process personal data relating to criminal convictions and offences. Private companies may, however, according to Swedish law, process personal data relating to criminal offences if the processing is necessary to establish, exercise or defend legal claims or to fulfil an obligation under any legal rules. Furthermore, the Swedish Authority for Privacy Protection has in its regulations exceptions where private companies can process personal data relating to criminal offences. An example of such an exception is processing of personal data within a whistleblowing system. Finally, a private company can apply for an individual exception from the prohibition to process personal data in relation to criminal offences. Such application is to be filed with the Swedish Authority for Privacy Protection.
Personal identity numbers
According to the Act, personal identity numbers may be processed only if the data subject has given his/her consent. However, exemptions apply where processing is clearly justified by the purpose of the processing, the importance of identification of a person or any other significant reason.
Employees’ personal data
The Act contains no specific provisions regarding the processing of employees’ personal data. In Sweden it is not advisable to process employees’ personal data based on consent as the employee is in a dependency situation towards the employer. The Swedish Authority for Privacy Protection emphasises that it might be difficult to obtain consent in an employment relationship and consent should, therefore, be limited to cases where the given consent may be associated with a clear advantage for the employee.
According to the Act, the right to obtain information about the processing of personal data, and the right of access to personal data, both according to the GDPR, do not apply to personal data that is subject to secrecy regulations.
According to the Swedish Marketing Practices Act, direct marketing by e-mail, or by other digital means, is in principle only permitted if the recipient has given his/her consent. This restriction does not apply to corporate subscribers. Nor does marketing by e-mail require consent if the recipient has already purchased similar products from the merchandiser before the marketing activity. In such case, a valid opt-out address must always be provided. The sender must also include specific information to the consumer. If the marketing is unlawful according to the Swedish marketing rules, the processing of personal data will also be deemed to be unlawful according to the GDPR.
The Act does not impose any additional obligations to appoint a data protection officer (DPO) compared to the GDPR. The Act does however impose an obligation of confidentiality on the DPO regarding information obtained while performing his/her duties.
Except for certain sector specific legislations, there are in Sweden very few unique data protection rules compared to the GDPR. We do not see any specific problems for running business in Sweden due to data protection rules. What we have seen, which is a problem for those who like to perform their business in different member states, is that the data protection authorities and the courts in the different member states are interpreting the GDPR in different ways.