All questions

Data protection

The General Data Protection Regulation (GDPR) is an EU regulation that serves to protect the personal data of anyone in the European Union. It entered into force on 25 May 2018 and must be complied with. It applies to any organisation globally that handles the personal data of people in the European Union.

Sweden is currently enacting additional legislation regarding the GDPR. The Swedish Data Protection Authority is the supervisory agency. At the time of writing, in 2018 it had conducted 400 inspections of organisations, authorities and private companies, of which 60 have received injunctions.

i Requirements for registration

Employers do not have to register with the Swedish Data Protection Authority in order to be allowed to process personal data, but the employer needs to process personal data lawfully and the data must be collected for a specific reason. The processing of personal data is legitimate when done in accordance with the GDPR, including when the process is necessary in order to fulfil an agreement or to fulfil a legal requirement.

Some employers need to appoint a data protection officer and report the contact details of the data protection officer to the Swedish Data Protection Authority.

If there is a personal data breach the employer is required to report this to the Swedish Data Protection Authority within 72 hours.

ii Cross-border data transfers

The provisions of the GDPR must be complied with when transferring any personal data. It applies to the processing of personal data in the context of the activities of an establishment of the European Union, regardless of whether the processing takes place in the European Union or not.

iii Sensitive data

Any information related to a person that can be used to directly or indirectly identify the person is defined as personal data. It can be anything from a name, a photograph, an email address, bank details, posts on social networking websites, medical information to a computer IP address. Some personal data is categorised as sensitive personal data, for example racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, the processing of genetic data and biometric data for the purpose of uniquely identifying a person, data concerning health or data concerning a person's sex life or sexual orientation. As general rule processing sensitive data is prohibited. Despite this, an employer is allowed to process sensitive personal data if certain conditions apply, including if the employer has prior and explicit consent from the employee. The employer also has grounds for processing sensitive data if it is necessary in order to carry out obligations under the employment, social security or social protection law, or a collective agreement.

iv Background checks

The employer is not permitted to obtain an extract from the criminal register itself. However, the employer can ask the employee to provide it with such an extract from the criminal record database.

Credit checks are only allowed if the employer has a legitimate reason to conduct the check, including, for example, when the employer needs a risk assessment with a financial perspective.

Collective agreements may contain different rules.