Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Jurisdiction snapshot

Trends and climate

Would you consider your national data protection laws to be ahead or behind of the international curve?

Since data protection and privacy legislation in Europe became harmonised through EU Directive 95/46/EC, Swedish legislation has been aligned with the international curve. National legislation had been somewhat behind the international curve, since historically there had been less focus on privacy issues in Sweden than in other EU member states. However, the tide has turned and there is now an extreme focus on integrity in both strategic agreements and EU General Data Protection Regulation projects. This is partly due to new EU regulations, but also to a large scandal regarding the government’s use of personal data and data security in Summer 2017. The shift in focus entails intensive work for controllers, who must develop the protection of privacy to the same high level as their technical and service standards.

Are any changes to existing data protection legislation proposed or expected in the near future?

On May 25 2018 the EU General Data Protection Regulation will enter into force and have a direct effect in all EU member states. As a result of the regulation, Sweden will introduce a new Data Protection Act. The EU General Data Protection Regulation and the Data Protection Act will replace the existing data protection legislation, which is based on EU Directive 95/46/EC.

Legal framework

Legislation

What legislation governs the collection, storage and use of personal data?

The prime legislation governing data protection in Sweden is the Data Protection Act (1998:204), which implements EU Directive 95/46/EC.

From May 25 2018 the EU General Data Protection Regulation and a new Data Protection Act will be the prime legislation.

Scope and jurisdiction

Who falls within the scope of the legislation?

Any natural or legal person who processes personal data wholly or partly by automated means or who processes personal data which forms part of a filing system falls within the scope of the legislation.

What kind of data falls within the scope of the legislation?

Any kind of information that may be directly or indirectly referable to a natural living person falls within the scope of the legislation.

Are data owners required to register with the relevant authority before processing data?

Yes, if the data processing is wholly or partly automated, the controller must notify the Data Inspection Board. However, there are some exceptions where notification is not required. For example, if the controller appoints a data protection officer, he or she will keep a register of the data processing performed by the controller.

Is information regarding registered data owners publicly available?

The Data Inspection Board maintains a register of the processing of personal data reported to the board. The register is a public record.

Is there a requirement to appoint a data protection officer?

Under the existing legislation, there are no requirements to appoint a data protection officer.

After May 25 2018 it will be mandatory for public authorities and companies that conduct large-scale systematic processing of personal data to appoint a data protection officer.

Enforcement

Which body is responsible for enforcing data protection legislation and what are its powers?

The Data Protection Act authorises the government and the Swedish data protection authority, the Data Inspection Board, to issue more detailed regulations concerning the Data Protection Act. The Data Inspection Board also enforces data protection legislation and can sanction its decisions through an administrative fine. If the board finds that a decision thus sanctioned has been breached, it cannot on its own authority enforce the administrative fine. Instead, it must seek a court order that the fine be paid. However, the board must rarely seek such enforcement.

When the EU General Data Protection Regulation enters into force, the board will be able to enforce the administrative fine itself.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Personal data can be processed when the data subject has consented to the processing or when the processing is necessary in order to:

  • perform according to a contract with the data subject or to perform measures that the data subject requested to be implemented before a contract is made;
  • satisfy a legal obligation by the controller;
  • perform according to the vital interests of the data subject;
  • perform a work task in the public interest or in conjunction with the exercise of official authority; or
  • satisfy a purpose that concerns a justified interest for the controller, provided that this interest outweighs the data subject’s interest in protection against violation of personal integrity.

Personal data can also be processed if it is part of unstructured material or is for personal use.

The exception for unstructured material will not apply after the EU General Data Protection Regulation enters into force on May 25 2018.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

A basic requirement under the Data Protection Act is that personal data should not be retained for a longer period than is necessary for the purpose of processing.

If another legislation includes provisions on the preservation of personal data (eg, healthcare legislation), that legislation takes precedence over the Data Protection Act.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes, under the Data Protection Act individuals can apply for a register extract from the controller. The controller must inform the data subject whether it processes personal data and, if so:

  • what data is processed;
  • where the data is retrieved; and
  • the purpose of the processing.

Do individuals have a right to request deletion of their data?

At present, individuals have no such right. However, an individual may demand that his or her data is corrected, blocked or deleted if the processing has no legal grounds.

After the EU General Data Protection Regulation enters into force, data subjects will have the right to be forgotten. This implies that the controller must delete all personal data about a data subject. However, the right to be forgotten is not an absolute right.

Consent obligations

Is consent required before processing personal data?

Generally, yes. However, there are other legal grounds for the processing of personal data.

If consent is not provided, are there other circumstances in which data processing is permitted?

Personal data can be processed when it is necessary in order to:

  • perform according to a contract with the data subject or to perform measures that the data subject requested to be implemented before a contract is made;
  • satisfy a legal obligation by the controller;
  • perform according to the vital interests of the data subject;
  • perform a work task in the public interest or in conjunction with the exercise of official authority; or
  • satisfy a purpose that concerns a justified interest for the controller, provided that this interest outweighs the data subject’s interest in protection against violation of personal integrity.

Personal data can also be processed if it is part of unstructured material or is for personal use. The exception for unstructured material will not apply after May 25 2018.

What information must be provided to individuals when personal data is collected?

The data subject must obtain clear and comprehensible information about the purposes of the processing, the controller’s contact information and other relevant information that the data subject should know about.

After May 25 2018 the information provided will need to be complete, comprehensible and accessible, provide the necessary transparency and include the identity of the controller and the legal grounds and purpose of the processing. Other requirements will depend on the legal ground that the controller uses.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Controllers must take appropriate technical and organisational security measures to protect personal data. When deciding on these measures, they should consider:

  • available techniques;
  • the cost of the measures;
  • whether there are any special risks concerning the processing; and
  • the sensitivity of the data.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

At present, there is no such requirement. In the event of a breach after the EU General Data Protection Regulation enters into force on May 25 2018, controllers will be required to inform data subjects without unnecessary delay if the breach represents a high risk to their integrity.

Are data owners/processors required to notify the regulator in the event of a breach?

At present, there is no such requirement.

In the event of a breach after May 25 2018, controllers will be required to notify the Data Inspection Board without unnecessary delay and no later than 72 hours after becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the integrity of the data subject.

Electronic marketing and internet use

Electronic marketing

Are there rules specifically governing unsolicited electronic marketing (spam)?

The Marketing Act states that electronic marketing (spam) cannot be sent to persons who have not given their consent. The act establishes that before a call is made to a consumer for sales, marketing or fundraising purposes, the marketer must – according to good marketing practice – control if the consumer’s phone number is in the blocking registry (NIX-Telefoni).

Under the Data Protection Act, personal data cannot be used for the purposes of direct marketing unless the individual have given his or her consent.

Cookies

Are there rules governing the use of cookies?

The Electronic Communications Act states that information may be stored in or retrieved from a subscriber’s or user’s terminal equipment only if subscribers or users:

  • are provided with access to information on the purpose of the processing; and
  • have consented to the processing.

This does not apply to storage or retrieval necessary for:

  • the transmission of an electronic message over an electronic communications network; or
  • the provision of a service explicitly requested by the subscriber or user.

Data transfer and third parties

Cross-border data transfer

What rules govern the transfer of data outside your jurisdiction?

The Data Protection Act governs the transfer of data outside Sweden.

Are there restrictions on the geographic transfer of data?

Unless there is specific national interest in regard to certain state-owned companies or authorities, personal data may be transferred freely within EU and European Economic Area (EEA) countries without restriction. Since there are no general rules that provide corresponding guarantees outside the European Union or the EEA, it has been considered that transfers to such countries must be limited. Therefore, personal data may be transferred outside the European Union or the EEA only if the recipient country supports an adequate level of protection or special safeguards protect the personal data and the rights of the data subjects.

Personal data may therefore be transferred to a third country:

  • where there is an adequate level of protection in the recipient country;
  • when the data subject has consented to the transfer;
  • in certain specific situations enumerated in the Data Protection Act; or
  • if it is permitted in some other way according to regulations or specific decisions by the government or the Data Inspection Board with reference to the fact that adequate safeguards are in place to protect the rights of the data subjects. Such safeguards may result from standard contractual clauses approved by the EU Commission or the Binding Corporate Rules.

The processing of personal data in Sweden must comply with the Data Protection Act. This means that data may be transferred only if the controller in Sweden has complied with the other requirements of the Data Protection Act (eg, the fundamental requirements regarding the processing of personal data and the rules for when such processing is permitted).

After the EU General Data Protection Regulation enters into force on May 25 2018, personal data may be transferred to a third country where:

  • there is an adequate level of protection in the recipient country;
  • the transfer is subject to appropriate safeguards;
  • special permission is granted by the Data Inspection Board;
  • the data subject has consented; or
  • there are occasional transfers to a third country.

Third parties

Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

If a controller transfers the processing of personal data to a personal data processor, the parties must sign a written agreement under which the controller must ensure that the processor adheres to the guidelines that the controller must follow.

After May 25 2018 personal data processors will be subject to independent obligations, including:

  • to take appropriate technical and organisational security measures;
  • to keep a register of the personal data being processed;
  • to cooperate with the Data Inspection Board;
  • to appoint a data protection officer;
  • to inform the controller in the event of a breach; and
  • to follow the rules regarding third-country transfers.

In addition, the personal data processor will be subject to the same rules regarding penalties as the controller.

Penalties and compensation

Penalties

What are the potential penalties for non-compliance with data protection provisions?

The Data Inspection Board can sanction its decisions through an administrative fine. The administrative fine must be determined in accordance with:

  • what is known about the economic circumstances of the addressee; and
  • in the circumstances of the case, what may be expected to enable the addressee to comply with the injunction.

Therefore, in theory, the amount may be high but, in reality, the damages or penalties that can be sought in the courts are generally quite low. No financial penalties have been issued by the Data Inspection Board as a result of a breach of data protection legislation.

If the board finds that a decision thus sanctioned has been breached, it cannot on its own authority enforce the administrative fine. Instead, it must seek a court order that the fine be paid.

Only the Prosecution Authority can prosecute criminal offences under the Data Protection Act. Prosecution may be brought on the authority’s own initiative or following a complaint from the board, a perceived victim or the general public.

When the EU General Data Protection Regulation enters into force, the board will be able to enforce administrative fines.

Compensation

Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Yes, violation of personal privacy or non-compliance with the Data Protection Act can lead to compensation for persons that have suffered damages.

Cybersecurity

Cybersecurity legislation, regulation and enforcement

Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

In Sweden, there is no specific legislation regarding cybercrime. However, cybercrime is covered by the Penal Code. With regard to data security, the Data Protection Act states that data must be processed safely and the controller must take appropriate technical and organisational security measures.

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

Controllers can be certified by the International Standardisation Organisation (ISO). ISO 27001 is an international standard that ensures data is handled safely and with secrecy, integrity and availability.

Which cyber activities are criminalised in your jurisdiction?

Hacking and computer fraud are criminalised in Sweden.

Which authorities are responsible for enforcing cybersecurity rules?

The police and the Prosecution Authority are responsible for enforcing cybersecurity rules.

Cybersecurity best practice and reporting

Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Yes, it is possible to obtain cyber-insurance. The market for this has increased over the past couple of years.

Are companies required to keep records of cybercrime threats, attacks and breaches?

At present, there is no such requirement. However, after the EU General Data Protection Regulation enters into force on May 25 2018, all breaches must be reported to the Data Inspection Board.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

At present, there is no such requirement. However, after May 25 2018 all breaches must be reported to the Data Inspection Board. Further, under the Electronic Communications Act, providers of electronic communication services must promptly notify the Post and Telecom Authority of any integrity incidents. If such incidents are expected to have a negative effect on the users of the service that the processed data concerns, or if requested by the authority, the users must also be promptly notified.

Are companies required to report cybercrime threats, attacks and breaches publicly?

There is no requirement in Sweden to report cybercrime threats, attacks or breaches publicly.

Criminal sanctions and penalties

What are the potential criminal sanctions for cybercrime?

The criminal penalty for cybercrime is up to two years’ imprisonment or a fine.

What penalties may be imposed for failure to comply with cybersecurity regulations?

When the EU General Data Protection Regulation enters into force, non-compliance with the regulations may result in an administrative fine of up to 4% of the yearly revenue.