Data Protection in Sweden: Difference between revisions
No edit summary |
|||
(11 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;" | {| class="wikitable" style="width: 25%; margin-left: 10px; float:right;" | ||
!colspan="2"|Data Protection in Sweden [[Category:Country Overview]] | ! colspan="2" |Data Protection in Sweden | ||
[[Category:Country Overview]] | |||
|- | |- | ||
|colspan="2"|[[File:se.png|center|250px]] | | colspan="2" |[[File:se.png|center|250px]] | ||
|- | |- | ||
| Data Protection Authority: || [[ | |Data Protection Authority:||[[IMY (Sweden)]] | ||
|- | |- | ||
| National Implementation Law (Original): || [https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/lag-2018218-med-kompletterande-bestammelser_sfs-2018-218 Lag (2018:218)] | |National Implementation Law (Original):||[https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/lag-2018218-med-kompletterande-bestammelser_sfs-2018-218 Lag (2018:218)] | ||
|- | |- | ||
| English Translation of National Implementation Law: || | |English Translation of National Implementation Law:||[https://www.government.se/government-policy/the-constitution-of-sweden-and-personal-privacy/act-containing-supplementary-provisions-to-the-eu-sfs-2018218-general-data-protection-regulation / Act containing supplementary provisions to the EU General Data Protection Regulation] | ||
|- | |- | ||
| Official Language(s): || Swedish | |Official Language(s):||Swedish | ||
|- | |- | ||
| National Legislation Database(s): || [ | |National Legislation Database(s):||[http://www.lagrummet.se/ Link] | ||
|- | |- | ||
|National Decision Database(s):||[https://www.ris.bka.gv.at/ RIS.bka.gv.at] | |||
| National Decision Database(s): || [ | |||
|} | |} | ||
==Legislation== | ==Legislation== | ||
===History=== | ===History=== | ||
Sweden introduced one of the first data protection laws in the world in 1973 with the introduction of the Data Act (''Datalagen''). The supervisory authority '' | Sweden introduced one of the first data protection laws in the world in 1973 with the introduction of the Data Act (''Datalagen''). The supervisory authority ''Datainspektionen'' was founded the same year. On 1 January 2021, the name was changed to ''Integritetsskyddsmyndigheten'' ("''IMY")''. | ||
===National constitutional protections=== | ===National constitutional protections=== | ||
Line 37: | Line 37: | ||
===National GDPR implementation law=== | ===National GDPR implementation law=== | ||
In Sweden the GDPR is implemented by | In Sweden the GDPR is implemented by [https://lagen.nu/2018:218 Lagen (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning]. The unofficial English name for this statute is the [https://www.government.se/government-policy/the-constitution-of-sweden-and-personal-privacy/act-containing-supplementary-provisions-to-the-eu-sfs-2018218-general-data-protection-regulation/ Act containing supplementary provisions to the EU General Data Protection Regulation]. This law is commonly refered to as "The Data Protection Act" (Dataskyddslagen).<ref>https://www.datainspektionen.se/lagar--regler/dataskyddslagen/</ref> | ||
====Age of consent==== | |||
==== Age of consent ==== | |||
The age of consent in Sweden is 13 years following § 4 of the Data Protection Act. | The age of consent in Sweden is 13 years following § 4 of the Data Protection Act. | ||
==== Freedom of Speech ==== | ====Freedom of Speech==== | ||
Under Chapter 3 § 3 number 3 there is a general provision opening up for processing personal data that represent an important public interest based on a balancing of interest with the fundamental rights and interests of the data subject. It follows from § 4 that the government may issue further regulations on processing of special categories of personal data that is necessary in view of an important public interest. | Under Chapter 3 § 3 number 3 there is a general provision opening up for processing personal data that represent an important public interest based on a balancing of interest with the fundamental rights and interests of the data subject. It follows from § 4 that the government may issue further regulations on processing of special categories of personal data that is necessary in view of an important public interest. | ||
==== Employment context ==== | ====Employment context==== | ||
Chapter 3 § 2 further that processing special categories of personal data in the context of employment and social security may be done in accordance with [[Article 9 GDPR|Article 9]] for purposes of excercising rights, or fulfilling obligations under labour law. | Chapter 3 § 2 further that processing special categories of personal data in the context of employment and social security may be done in accordance with [[Article 9 GDPR|Article 9]] for purposes of excercising rights, or fulfilling obligations under labour law. | ||
==== Research ==== | ====Research==== | ||
Under Chapter 3 § 3 number 3 there is a general provision opening up for processing personal data that represent an important public interest based on a balancing of interest with the fundamental rights and interests of the data subject. It follows from § 4 that the government may issue further regulations on processing of special categories of personal data that is necessary in view of an important public interest. | Under Chapter 3 § 3 number 3 there is a general provision opening up for processing personal data that represent an important public interest based on a balancing of interest with the fundamental rights and interests of the data subject. It follows from § 4 that the government may issue further regulations on processing of special categories of personal data that is necessary in view of an important public interest. | ||
==== Archival and statistical purposes ==== | ====Archival and statistical purposes==== | ||
Special categories of personal data may be processed if it is necessary for the controller to comply with regulations on archives pursuant to Chapter 3 § 6. | Special categories of personal data may be processed if it is necessary for the controller to comply with regulations on archives pursuant to Chapter 3 § 6. | ||
For processing of special categories of personal data for statistical purposes, the benefit must be necessary for statistical purposes and the public interests in the processing must clearly weigh in the favor of such processing without an undue intrusion into the privacy of the individual, pursuant to Chapter 3 § 7. | For processing of special categories of personal data for statistical purposes, the benefit must be necessary for statistical purposes and the public interests in the processing must clearly weigh in the favor of such processing without an undue intrusion into the privacy of the individual, pursuant to Chapter 3 § 7. | ||
==== Health sector ==== | ====Health sector==== | ||
According to Chapter 3 § 5 of the Data Protection Act, special categories of personal data may be used if the processing is necessary for one of six applicable purposes: | According to Chapter 3 § 5 of the Data Protection Act, special categories of personal data may be used if the processing is necessary for one of six applicable purposes: | ||
Line 69: | Line 67: | ||
====Other relevant national provisions and laws==== | ====Other relevant national provisions and laws==== | ||
IMY can impose sanctions on government breaches pursuant to Chapter 6 § 1(1) in accordance with [[Article 83 GDPR|Article 83]] | |||
===National ePrivacy Law=== | ===National ePrivacy Law=== | ||
The ePrivacy Directive is implemented through several laws, the most important being the Electronic Communications Act ([https://lagen.nu/2003:389 Lag 2003:389] in SE) which regulates the placement of cookies in § 18. | The ePrivacy Directive is implemented through several laws, the most important being the Electronic Communications Act ([https://lagen.nu/2003:389 Lag 2003:389] in SE) which regulates the placement of cookies in § 18. The supervisory authority is [https://www.pts.se/en/ Post- och telestyrelsen, PTS]. | ||
==Data Protection Authority== | ==Data Protection Authority== | ||
The Swedish Data Protection Authority ('' | The Swedish Data Protection Authority (''Integritetsskyddsmyndigheten, "IMY"'') is the national data protection authority for Sweden. | ||
→ Details see [[ | → Details see [[IMY_(Sweden)]] | ||
==Judicial protection== | ==Judicial protection== | ||
The Courts in Sweden are divided into two distinct tracks: The General Courts and The Administrative Courts. Both tracks have three tiers. The General Courts mainly deal with criminal cases, in addition to some select civil law disputes. | The Courts in Sweden are divided into two distinct tracks: The General Courts and The Administrative Courts. Both tracks have three tiers. The General Courts mainly deal with criminal cases, in addition to some select civil law disputes. | ||
Complaints regarding | Complaints regarding IMY's administration of a case can be lodged as a complaint with the Parliamentary Ombudsmen. | ||
===General Courts=== | ===General Courts=== | ||
While most of the cases related to data protection will be handled by the Administrative Courts if brought into the court system, requests for damages will be handled by the General Courts. Claims of damages can also be handled by | While most of the cases related to data protection will be handled by the Administrative Courts if brought into the court system, requests for damages will be handled by the General Courts. Claims of damages can also be handled by IMY. | ||
===Administrative Courts=== | ===Administrative Courts=== | ||
Appeals from | Appeals from IMY can be brought before the Administrative Courts. | ||
# https://www.imy.se/verksamhet/dataskydd/sa-hanger-lagarna-ihop/ |
Latest revision as of 14:08, 1 October 2021
Data Protection in Sweden | |
---|---|
Data Protection Authority: | IMY (Sweden) |
National Implementation Law (Original): | Lag (2018:218) |
English Translation of National Implementation Law: | / Act containing supplementary provisions to the EU General Data Protection Regulation |
Official Language(s): | Swedish |
National Legislation Database(s): | Link |
National Decision Database(s): | RIS.bka.gv.at |
Legislation
History
Sweden introduced one of the first data protection laws in the world in 1973 with the introduction of the Data Act (Datalagen). The supervisory authority Datainspektionen was founded the same year. On 1 January 2021, the name was changed to Integritetsskyddsmyndigheten ("IMY").
National constitutional protections
The Swedish Basic Laws are four fundamental laws, regulating the political system and acting in the same role as constitutions in most other countries. The four Basic Laws are The Instrument of Government; The Freedom of the Press Act; The Fundamental Law on Freedom of Expression, and the Act of Succession.
The Basic Law protects the right to privacy in Chapter 2 § 6 in the Instrument of Government.
The right to free speech is secured in Chapter 2 § 1 in the Instrument of Government and Chapter 2 § 1 of The Fundamental Law on Freedom of Expression, and Chapter 1 § 1 in the Fundamental Law on Freedom of Expression.
Freedom of information follows from Chapter 2 § 1 in the Instrument of Government.
The right of public access follows from Chapter 2 § 1 The Fundamental Law on Freedom of Expression.
It is unsure if the GDPR is compatible to the constitutional protection. The stance of the Swedish government is that Article 85 and 86 allows the constitutional protections found in the Basic Laws.
National GDPR implementation law
In Sweden the GDPR is implemented by Lagen (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning. The unofficial English name for this statute is the Act containing supplementary provisions to the EU General Data Protection Regulation. This law is commonly refered to as "The Data Protection Act" (Dataskyddslagen).[1]
Age of consent
The age of consent in Sweden is 13 years following § 4 of the Data Protection Act.
Freedom of Speech
Under Chapter 3 § 3 number 3 there is a general provision opening up for processing personal data that represent an important public interest based on a balancing of interest with the fundamental rights and interests of the data subject. It follows from § 4 that the government may issue further regulations on processing of special categories of personal data that is necessary in view of an important public interest.
Employment context
Chapter 3 § 2 further that processing special categories of personal data in the context of employment and social security may be done in accordance with Article 9 for purposes of excercising rights, or fulfilling obligations under labour law.
Research
Under Chapter 3 § 3 number 3 there is a general provision opening up for processing personal data that represent an important public interest based on a balancing of interest with the fundamental rights and interests of the data subject. It follows from § 4 that the government may issue further regulations on processing of special categories of personal data that is necessary in view of an important public interest.
Archival and statistical purposes
Special categories of personal data may be processed if it is necessary for the controller to comply with regulations on archives pursuant to Chapter 3 § 6.
For processing of special categories of personal data for statistical purposes, the benefit must be necessary for statistical purposes and the public interests in the processing must clearly weigh in the favor of such processing without an undue intrusion into the privacy of the individual, pursuant to Chapter 3 § 7.
Health sector
According to Chapter 3 § 5 of the Data Protection Act, special categories of personal data may be used if the processing is necessary for one of six applicable purposes:
(1) preventive health care and occupational medicine; (2) the assessment of an employee's work capacity; (3) medical diagnoses; (4) provision of health care or treatment; (5) social care, or (6) management of health care services, social care and their systems
Other relevant national provisions and laws
IMY can impose sanctions on government breaches pursuant to Chapter 6 § 1(1) in accordance with Article 83
National ePrivacy Law
The ePrivacy Directive is implemented through several laws, the most important being the Electronic Communications Act (Lag 2003:389 in SE) which regulates the placement of cookies in § 18. The supervisory authority is Post- och telestyrelsen, PTS.
Data Protection Authority
The Swedish Data Protection Authority (Integritetsskyddsmyndigheten, "IMY") is the national data protection authority for Sweden.
→ Details see IMY_(Sweden)
Judicial protection
The Courts in Sweden are divided into two distinct tracks: The General Courts and The Administrative Courts. Both tracks have three tiers. The General Courts mainly deal with criminal cases, in addition to some select civil law disputes.
Complaints regarding IMY's administration of a case can be lodged as a complaint with the Parliamentary Ombudsmen.
General Courts
While most of the cases related to data protection will be handled by the Administrative Courts if brought into the court system, requests for damages will be handled by the General Courts. Claims of damages can also be handled by IMY.
Administrative Courts
Appeals from IMY can be brought before the Administrative Courts.