Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Electronic marketing and internet use

Electronic marketing

Are there rules specifically governing unsolicited electronic marketing (spam)?

The Marketing Act states that electronic marketing (spam) cannot be sent to persons who have not given their consent. The act establishes that before a call is made to a consumer for sales, marketing or fundraising purposes, the marketer must – according to good marketing practice – control if the consumer’s phone number is in the blocking registry (NIX-Telefoni).

Under the Data Protection Act, personal data cannot be used for the purposes of direct marketing unless the individual have given his or her consent.


Are there rules governing the use of cookies?

The Electronic Communications Act states that information may be stored in or retrieved from a subscriber’s or user’s terminal equipment only if subscribers or users:

  • are provided with access to information on the purpose of the processing; and
  • have consented to the processing.

This does not apply to storage or retrieval necessary for:

  • the transmission of an electronic message over an electronic communications network; or
  • the provision of a service explicitly requested by the subscriber or user.

Data transfer and third parties

Cross-border data transfer

What rules govern the transfer of data outside your jurisdiction?

The Data Protection Act governs the transfer of data outside Sweden.

Are there restrictions on the geographic transfer of data?

Unless there is specific national interest in regard to certain state-owned companies or authorities, personal data may be transferred freely within EU and European Economic Area (EEA) countries without restriction. Since there are no general rules that provide corresponding guarantees outside the European Union or the EEA, it has been considered that transfers to such countries must be limited. Therefore, personal data may be transferred outside the European Union or the EEA only if the recipient country supports an adequate level of protection or special safeguards protect the personal data and the rights of the data subjects.

Personal data may therefore be transferred to a third country:

  • where there is an adequate level of protection in the recipient country;
  • when the data subject has consented to the transfer;
  • in certain specific situations enumerated in the Data Protection Act; or
  • if it is permitted in some other way according to regulations or specific decisions by the government or the Data Inspection Board with reference to the fact that adequate safeguards are in place to protect the rights of the data subjects. Such safeguards may result from standard contractual clauses approved by the EU Commission or the Binding Corporate Rules.

The processing of personal data in Sweden must comply with the Data Protection Act. This means that data may be transferred only if the controller in Sweden has complied with the other requirements of the Data Protection Act (eg, the fundamental requirements regarding the processing of personal data and the rules for when such processing is permitted).

After the EU General Data Protection Regulation enters into force on May 25 2018, personal data may be transferred to a third country where:

  • there is an adequate level of protection in the recipient country;
  • the transfer is subject to appropriate safeguards;
  • special permission is granted by the Data Inspection Board;
  • the data subject has consented; or
  • there are occasional transfers to a third country.

Third parties

Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

If a controller transfers the processing of personal data to a personal data processor, the parties must sign a written agreement under which the controller must ensure that the processor adheres to the guidelines that the controller must follow.

After May 25 2018 personal data processors will be subject to independent obligations, including:

  • to take appropriate technical and organisational security measures;
  • to keep a register of the personal data being processed;
  • to cooperate with the Data Inspection Board;
  • to appoint a data protection officer;
  • to inform the controller in the event of a breach; and
  • to follow the rules regarding third-country transfers.

In addition, the personal data processor will be subject to the same rules regarding penalties as the controller.

Click here to view the full article.