IMY (Sweden) - IMY-2022-1621: Difference between revisions

From GDPRhub
No edit summary
mNo edit summary
 
(19 intermediate revisions by 3 users not shown)
Line 34: Line 34:
|GDPR_Article_3=Article 85(2) GDPR
|GDPR_Article_3=Article 85(2) GDPR
|GDPR_Article_Link_3=Article 85 GDPR#2
|GDPR_Article_Link_3=Article 85 GDPR#2
|GDPR_Article_4=
|GDPR_Article_4=Article 6(1)(f) GDPR
|GDPR_Article_Link_4=
|GDPR_Article_Link_4=Article 6 GDPR#1f
|GDPR_Article_5=
|GDPR_Article_5=Article 4(7) GDPR
|GDPR_Article_Link_5=
|GDPR_Article_Link_5=Article 4 GDPR#7


|EU_Law_Name_1=
|EU_Law_Name_1=
Line 54: Line 54:
|Party_Link_2=
|Party_Link_2=


|Appeal_To_Body=
|Appeal_To_Body=SAC (Sweden)
|Appeal_To_Case_Number_Name=
|Appeal_To_Case_Number_Name=4588-23
|Appeal_To_Status=
|Appeal_To_Status=Upheld
|Appeal_To_Link=
|Appeal_To_Link=https://gdprhub.eu/index.php?title=H%C3%B6gsta_f%C3%B6rvaltningsdomstolen_-_4588-23


|Initial_Contributor=
|Initial_Contributor=
Line 63: Line 63:
}}
}}


The Swedish DPA issued a warning and injunction against the controller, which provided a service allowing users to search the company's database with sensitive personal data, derived from court decisions. The controller violated Article 9 GDPR.   
The Swedish DPA reprimanded a controller for violating [[Article 9 GDPR]] by publishing sensitive data in its background check database, such as information about compulsory care due to mental illness and addiction.   


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Swedish DPA received complaints about the service of the controller. This service allowed users to search through a database which contained sensitive personal data from data subjects, including information about individuals that had been subject to compulsory care due to mental illness or addiction. This data was derived from different sorts of court decisions. The database contained specific search fields for "Name", "Personal number", "City/Address" and "Free text search". According to statements from the controller, all decisions from 2008 onwards were available and searchable in the database.
The controller was a company which provided background check services in Sweden. For this purpose, it made publicly available a database, which contained legal and financial information of both legal and natural persons, collected among others from court decisions from 2008 onwards. The database included specific search fields for "name", "personal identity number", "city/address" and "free text search". On top of that, an additional "background check extension service" enabled customers, through a consent request from the person to whom the background check related, to obtain a report on any current or past legal disputes regarding compulsory care due to mental illness or addiction.  


The controller possesed a volutantary license, which normally excluded applicability of the GDPR under Swedish law in favor of the freedom of expression. This was constitutional protection based on the right of freedom of expression, and based on an exception under article 85 GDPR.
The Swedish DPA received multiple complaints from data subjects about the service of the controller, especially the processing of sensitive data relating to health. The DPA initiated its own investigation in order to find out whether the controller was subject to and respected the applicable data protection laws. The controller alleged that the GDPR did not apply to its service because it was constitutionally protected under the [https://lagen.nu/1991:1469 Swedish Freedom of Expression Act]. To illustrate the issue at hand, Swedish law contained exceptions on the applicability of the GDPR in favour of freedom of expression. Member States have the possibility to introduce such exceptions provided in [[Article 85 GDPR]].


However, due to an amendment to this Swedish law, the GDPR could be applicable when sensitive personal data is published, despite the licence of the controller (Chapter 1 section 20 YGL). This amandament was introduced after political debate and a warning from the Contitutional comitee that the existence of this volutary licence could impact the privacy of data subjects.   
The specific provision, [https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/lag-2018218-med-kompletterande-bestammelser_sfs-2018-218 Chapter 1.7 Paragraph 1 of the Swedish Data Protection Act,] states that the GDPR and the implementing national law shall not apply to the extent that this would conflict, among others, with the [https://lagen.nu/1991:1469 Freedom of Expression Act]. Under this law, the GDPR generally applies to online publications. As a way of exception, publications using databases developed from publicly available information, are not covered by the GDPR. However, the GDPR is still applicable when sensitive data was published in such a database ([https://lagen.nu/1991:1469 Chapter 1 Section 20 of the Freedom of Expression Act]).   


The was also another provision in Swedish law which excluded the GDPR from being applicable (Chapter 1 second paragraph of Article 7 Data Protection Act) provided an exception to the right to freedom of expression and information outside of constitutional protection. The exception covered the processing of personal data for journalistic purposes or for academic, artistic or literary creation. The provision stated that Articles 5-30 and 35-50 GDPR and Chapters 2-5 of the Swedish Data Protection Act should not apply for journalistic purposes.
In the present case, the DPA had to determine whether the controller's database fell within the scope of the above-mentioned provisions.


=== Holding ===
=== Holding ===
'''Question 1: Does the exception (Chapter 1 section 20 YGL) apply to the processing in question?''' 
The Swedish DPA determined whether the exception in [https://lagen.nu/1991:1469 Chapter 1 Section 20 Freedom of Expression Act], which made the GDPR applicable to processing of sensitive data, was relevant. Three separate conditions had to be met for this.


The DPA held that there were three separate conditions for the specific exception in Swedish Law, in order for the GDPR to be applicable in this case.  
First, there had to be a disclosure of sensitive personal data. The DPA recalled that the term "health data" should be interpreted broadly ([[Article 4 GDPR|Article 4(15) GDPR]]), reflecting both physical and mental state ([https://curia.europa.eu/juris/liste.jsf?language=de&num=C-101/01 Lindqvist, Case C-101/01]). The DPA held that the respective court cases in the database usually contained information about the health of persons, for example when the data subject had been subject to compulsory care. Therefore, there was a disclosure of sensitive personal data.


- <u>There had to be a disclosure of sensitive personal data</u>: The DPA confirmed that the information was disclosed as meant in chapter 1 section 20 YGL. The DPA later also confirmed that the data was in fact sensitive personal data. The DPA referred to the CJEU, stating that the term ‘health data’ should be interpreted broadly. The DPA held that the data in question was health data in the context of Swedish law, which had the same definition as article 4(15) GDPR. The DPA also referred to the EDPB, stating that this health data could both reflect physical and mental state. The DPA holds that the respective court cases in the database usually contain information about the health of the person, therefore being sensitive data.
Second, the data had to be part of a data collection organised in such a way that it could be searched or compiled. The only requirements were that the data must concern more than one person and the data has to be sorted according to some kind of system. The DPA concluded that, in this case, large amounts of sensitive data were involved. For the data to be searchable, it was sufficient that that the data collection allowed for a free text search, as in the controllers database.


- <u>The data is part of a data collection organized in such a way that they can be searched or compiled (second paragraph 1)</u>. The DPA held that for this criterion, no large amount of data was required. The only requirements were that the data must concern more than one person and the data has to be sorted according to some kind of system.  
Third, there had to be specific risks of undue intrusion into the privacy of individuals, given the nature of the activities and the forms in which the data collection was made available. The DPA held that, in this case, the controller extensively collected judicial decisions that contained highly privacy-sensitive information. The collection was carried out without assessing the relevance of the individual court decisions. Furthermore, the controller did not take any measures to limit the possibility of searching for personal information linking to a data subject, such as name or social security number. The DPA concluded that the publication of this data posed particular risks of undue interference with the privacy of individuals. In conclusion, the GDPR was applicable to the case at hand.
The DPA concluded that large amounts of data on the health of a large number of persons was involved, and this was therefore a data collection.  
For the data to be searchable, the DPA held that it was sufficient that that the data collection allowed for a free text search, which was the case with the service of the controller. The service allowed for search by free text search as well as searches by name, social security-number, city and address.  


- <u>There were specific risks of undue intrusion into the privacy of individuals, given the nature of the activities and the forms in which the data collection is made available (second paragraph 2):</u> The DPA held that the activities of the controller and the form in which the data is made available have to be taken into account in this assessment. An overall assessment had to be made with factors such as the purpose of providing the data collection, the type of data provided and the search and aggregation functions.
Further, the DPA assessed whether the rules on journalistic publication in [https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/lag-2018218-med-kompletterande-bestammelser_sfs-2018-218 Chapter 1.7, Paragraph 2 of the Data Protection Act] applied to the processing. The DPA held that the fact that a website contains certain publications with a journalistic purpose did not mean that all publications on that website should be considered to have such a purpose. The link between the personal data and an editorial element has to be clear and relevant in order for this journalistic exception to be invoked. The DPA determined that the purposes used by the controller, to provide background checks for recruitment amongst other things, were not journalistic purposes. Despite the fact that the controller had argued its activities were necessary for the legitimate interest of the general public in obtaining access to public documents, the DPA held that this did not mean the controller itself had a journalistic purpose for its processing. Therefore, the journalistic exception was not applicable in this case.
The DPA held that in this case there was an extensive collection of judicial decisions that contained highly privacy-sensitive information. The collection was carried out without assessing the relevance of the individual decisions. The DPA also stated that one of the purposes was to provide background checks for recruitment, which could lead to significant consequences for the data subjects. The controller didn’t take any measures to exclude or limit the possibility of searching for data directly attributable to a natural person, such as name or social security number. The controller also didn’t remove such information from the documents.
The DPA concluded that the controller provided a search service for sensitive personal data, which was far removed from the purposes in the constitution. The publication of this data posed particular risks of undue interference with the privacy on individuals.


With all of the three criteria met, the DPA found that the exception applied to the processing in question.
Finally, the DPA also assesed the lawfulness of the processing, by looking at whether the processing of sensitive data violated [[Article 9 GDPR]]. In this regard, the DPA noted that the controller only asked for consent from the data subject after a background check had already been ordered. Consent was therefore given after the controller had carried out the processing operations to collect and arrange the court decisions. The DPA held that consent obtained after the processing was not valid. Hence, there was no need to consider whether the requirements of explicit consent under [[Article 9 GDPR|Article 9(2)(a) GDPR]] were met. The DPA noted that the statements of the controller referred to the exception in [[Article 9 GDPR|Article 9(2)(g) GDPR]]. National rules could be introduced, such as described in [[Article 9 GDPR|Article 9(2)(g) GDPR]], to support the processing of sensitive personal data, necessary to ensure the public's freedom of expression and information. However, these national rules should be proportionate and contain appropriate measures to safeguard the fundamental rights and interests of the data subject. Since, the Swedish law did not contain such provisions, the controller was not able to rely on [[Article 9 GDPR|Article 9(2)(g) GDPR]] for its processing. The DPA concluded that the controller processed health data in violation of [[Article 9 GDPR]].


'''Question 2: Whether or not the journalistic exemption in Chapter 1.7, second paragraph of the Data Protection Act applies to the processing:'''
The DPA reprimanded the controller but did not impose a fine, due to mitigating factors, such as the fact that the controller was a licensed operator and because the matter at stake involved relatively complex assessments.


The crucial element in this question is the fact whether or not the processing of the controller fell under the journalistic exemption under Swedish law (Chapter 1 second paragraph Article 7 of the data protection act). If the processing fell under this exception, the GDPR would not be applicable. 
The DPA held that the fact that a website contains certain publications with a journalistic purpose does not mean that all publications on that website should be considered to have a journalistic purpose. The link between the personal data and an editorial element has to be clear and relevant in order for the journalistic exception to be invoked. The DPA held that this was not the case with the data collection in question. 
The DPA also determined that the purposes used by the controller, to provide background checks for recruitment amongst other things, were not journalistic purposes. The DPA also dismissed the argument from the controller that the database was also used for other purposes such as research. The DPA repeated that the data collection provided by the controller is the result of an extensive collection of judicial decisions containing highly privacy-sensitive information. The collection was done without assessing the relevance of the court-decision. There is also no removal of direct personal data such as names and personal identification numbers. This resulted in a database that could contain anyone who has been subject to compulsory care for mental illness or addiction since 2008.
This data collection could therefore not be considered to have a journalistic purpose as its main purpose. Despite the fact that the controller had argued that its activities were necessary for the legitimate interest of the general public in obtaining access to public documents, the DPA held that this did not mean the controller itself had a journalistic purpose for its processing.
Therefore, the DPA held that the journalistic exception was not applicable in this case. 
'''Controller?'''
The DPA also confirmed that the controller was indeed the controller, because it decided the means and purposes of the processing (Article 4(7) GDPR)). 
'''Question 3: is the processing contrary to Article 9 GDR?''' 
The DPA already held that the controller processed sensitive personal data, in this case health data (Article 9(1) GDPR)).
The DPA held that the controller only asked consent to the data subject after a background check was ordered from the controller. Consent was therefore given after the controller had carried out the processing operations to collect and arrange the court decision decisions. The DPA held that consent obtained after the processing was not valid. There was therefore no need to consider whether the supposed explicit consent otherwise met the conditions of the GDPR.
The controller also claimed that the processing "was necessary for purposes relating to the controller’s legitimate interest in being able to pursue its constitutionally protected activities within the framework of its publishing license". The DPA held that ‘legitimate interest’ was not one of the exceptions that was provided in article 9(2) GDPR, but was rather one of the legal ground for lawful processing (Article 6(1)(f) GDPR. The DPA held that the statements of the controller should be understood so that the controller referred to the exception in Article 9(2)(g) GDPR. The DPA held that it could not be excluded that, in addition, national rules of the kind referred to in Article 9(2)(g) GDPR could be introduced to support the processing of sensitive personal data necessary to ensure the public's freedom of expression and information. However, this regulation should contain appropriate and specific measures to safeguard the fundamental rights and interests of the data subject. Such a regulation was however not introduced in Swedish law. The controller was therefore not able to rely on article 9(2)(g) GDPR for its processing. 
Because of the lack of evidence to suggest that an exception in Article 9(2) GDPR was applicable, The DPA held that the controller processed sensitive personal data (health data) in violation of Article 9 of the GDPR.
The DPA reprimanded the controller without giving a fine. 
== Comment ==
== Comment ==
''Share your comments here!''
''Share your comments here!''

Latest revision as of 11:06, 3 July 2024

IMY - IMY-2022-1621
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 9 GDPR
Article 85(1) GDPR
Article 85(2) GDPR
Article 6(1)(f) GDPR
Article 4(7) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 13.09.2022
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: IMY-2022-1621
European Case Law Identifier: n/a
Appeal: Upheld
SAC (Sweden)
4588-23
Original Language(s): Swedish
Original Source: IMY (in SV)
Initial Contributor: n/a

The Swedish DPA reprimanded a controller for violating Article 9 GDPR by publishing sensitive data in its background check database, such as information about compulsory care due to mental illness and addiction.

English Summary

Facts

The controller was a company which provided background check services in Sweden. For this purpose, it made publicly available a database, which contained legal and financial information of both legal and natural persons, collected among others from court decisions from 2008 onwards. The database included specific search fields for "name", "personal identity number", "city/address" and "free text search". On top of that, an additional "background check extension service" enabled customers, through a consent request from the person to whom the background check related, to obtain a report on any current or past legal disputes regarding compulsory care due to mental illness or addiction.

The Swedish DPA received multiple complaints from data subjects about the service of the controller, especially the processing of sensitive data relating to health. The DPA initiated its own investigation in order to find out whether the controller was subject to and respected the applicable data protection laws. The controller alleged that the GDPR did not apply to its service because it was constitutionally protected under the Swedish Freedom of Expression Act. To illustrate the issue at hand, Swedish law contained exceptions on the applicability of the GDPR in favour of freedom of expression. Member States have the possibility to introduce such exceptions provided in Article 85 GDPR.

The specific provision, Chapter 1.7 Paragraph 1 of the Swedish Data Protection Act, states that the GDPR and the implementing national law shall not apply to the extent that this would conflict, among others, with the Freedom of Expression Act. Under this law, the GDPR generally applies to online publications. As a way of exception, publications using databases developed from publicly available information, are not covered by the GDPR. However, the GDPR is still applicable when sensitive data was published in such a database (Chapter 1 Section 20 of the Freedom of Expression Act).

In the present case, the DPA had to determine whether the controller's database fell within the scope of the above-mentioned provisions.

Holding

The Swedish DPA determined whether the exception in Chapter 1 Section 20 Freedom of Expression Act, which made the GDPR applicable to processing of sensitive data, was relevant. Three separate conditions had to be met for this.

First, there had to be a disclosure of sensitive personal data. The DPA recalled that the term "health data" should be interpreted broadly (Article 4(15) GDPR), reflecting both physical and mental state (Lindqvist, Case C-101/01). The DPA held that the respective court cases in the database usually contained information about the health of persons, for example when the data subject had been subject to compulsory care. Therefore, there was a disclosure of sensitive personal data.

Second, the data had to be part of a data collection organised in such a way that it could be searched or compiled. The only requirements were that the data must concern more than one person and the data has to be sorted according to some kind of system. The DPA concluded that, in this case, large amounts of sensitive data were involved. For the data to be searchable, it was sufficient that that the data collection allowed for a free text search, as in the controllers database.

Third, there had to be specific risks of undue intrusion into the privacy of individuals, given the nature of the activities and the forms in which the data collection was made available. The DPA held that, in this case, the controller extensively collected judicial decisions that contained highly privacy-sensitive information. The collection was carried out without assessing the relevance of the individual court decisions. Furthermore, the controller did not take any measures to limit the possibility of searching for personal information linking to a data subject, such as name or social security number. The DPA concluded that the publication of this data posed particular risks of undue interference with the privacy of individuals. In conclusion, the GDPR was applicable to the case at hand.

Further, the DPA assessed whether the rules on journalistic publication in Chapter 1.7, Paragraph 2 of the Data Protection Act applied to the processing. The DPA held that the fact that a website contains certain publications with a journalistic purpose did not mean that all publications on that website should be considered to have such a purpose. The link between the personal data and an editorial element has to be clear and relevant in order for this journalistic exception to be invoked. The DPA determined that the purposes used by the controller, to provide background checks for recruitment amongst other things, were not journalistic purposes. Despite the fact that the controller had argued its activities were necessary for the legitimate interest of the general public in obtaining access to public documents, the DPA held that this did not mean the controller itself had a journalistic purpose for its processing. Therefore, the journalistic exception was not applicable in this case.

Finally, the DPA also assesed the lawfulness of the processing, by looking at whether the processing of sensitive data violated Article 9 GDPR. In this regard, the DPA noted that the controller only asked for consent from the data subject after a background check had already been ordered. Consent was therefore given after the controller had carried out the processing operations to collect and arrange the court decisions. The DPA held that consent obtained after the processing was not valid. Hence, there was no need to consider whether the requirements of explicit consent under Article 9(2)(a) GDPR were met. The DPA noted that the statements of the controller referred to the exception in Article 9(2)(g) GDPR. National rules could be introduced, such as described in Article 9(2)(g) GDPR, to support the processing of sensitive personal data, necessary to ensure the public's freedom of expression and information. However, these national rules should be proportionate and contain appropriate measures to safeguard the fundamental rights and interests of the data subject. Since, the Swedish law did not contain such provisions, the controller was not able to rely on Article 9(2)(g) GDPR for its processing. The DPA concluded that the controller processed health data in violation of Article 9 GDPR.

The DPA reprimanded the controller but did not impose a fine, due to mitigating factors, such as the fact that the controller was a licensed operator and because the matter at stake involved relatively complex assessments.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

                                                                                                                               1(28)









                                                                           Verify AB
                                                                           Banérgatan 3
                                                                           114 56
                                                                           Stockholm



Diary number:
IMY-2022-1621

Date: Decision after supervision according to
2022-09-13

                                  data protection regulation - Verify

                                  AB





                                  Content

                                  The Privacy Protection Authority's decision................................................... ............................3

                                  Statement of the supervisory matter ............................................... ........................................3

                                          Information about the Services on the Website................................................... ...........4

                                          What Verifiera AB has stated................................... ...................................6

                                                 Opinion on 27 May 2022............................................. ............................6

                                                 Opinion on 13 June 2022............................................. ............................7
                                  Limitation of the examination framework in the review............................................... .............10

                                  Justification of the decision................................................... ................................................... ..11

                                          Legal background................................................... ..............................................11

                                                 EU law's regulation of the relationship between the right to protection for
                                                 personal data and the right to freedom of expression and information...............11

                                                 The Swedish Data Protection Act's exception for opinion and
                                                 freedom of information................................................... ................................12

                                                 The basic regulation on voluntary issuance certificates.................................13

                                          The interpretation of ch. 1 Section 20 YGL and IMY's authority.......................................15
                                          The exception in ch. 1 § 20 YGL is applicable ............................................. ..........16

                                                 Personal information about health is made public................................................. .....16

                                                 The data collection has been arranged so that it is possible to search for or
                                                 compile sensitive personal data................................................. ...17
Mailing address:
Box 8114 There are particular risks for improper intrusions into the personal
104 20 Stockholm integrity ............................................... ................................................18

Website: Summative Assessment................................................... ....................21
www.imy.se
E-mail: Processing does not take place for journalistic purposes............................................. .....21
imy@imy.se
                                                 Applicable regulations, etc. ................................................ ............21
Phone: Assessment by the Privacy Protection Authority............................................22
08-657 61 00 The Swedish Privacy Agency Diary number: IMY-2022-1621 2(28)
                                     Date: 2022-09-13






                                             Verifiera is the personal data controller for the processing ........................................23

                                             The processing contravenes Article 9 of the Data Protection Ordinance............................24

                                                      Applicable regulations ................................................... ......................24

                                                      Consent ................................................... ..............................................24

                                                      Article 9.2 g and the freedom of expression and information................................24

                                                      Article 9.2 g and the principle of publicity ............................................. ......25

                                                      Conclusions ................................................. ..............................................26

                                             Choice of intervention................................................... ................................................26

                                     How to appeal ............................................... ................................................... .....28 The Swedish Privacy Agency Diary number: IMY-2022-1621 3(28)
                                Date: 2022-09-13







                                The Privacy Protection Authority's decision


                                The Swedish Privacy Protection Agency states that Verifiera AB, during the period on April 6
                                2022 – 28 June 2022, has processed sensitive personal data (data about health) in
                                violation of Article 9 of the data protection regulation in its services at www.verifiera.se.


                                The Swedish Privacy Protection Authority gives Verifiera AB a reprimand according to article 58.2 b i
                                the data protection regulation for the established violation.


                                The Privacy Protection Authority orders Verifiera AB according to article 58.2 d i

                                data protection regulation to take measures so that in the services that Verifiera offers
                                on www.verifiera.se is no longer possible for users of the services to search
                                on people with one of the search parameters personal name, social security number or address

                                take part in decisions in cases according to the act (1991:1128) on compulsory psychiatric care or
                                the law (1988:870) on treatment of drug addicts in certain cases that applies to the wanted person
                                the person. The measures must have been taken no later than eight weeks after this decision won

                                cook power.


                                Account of the supervisory matter


                                The Swedish Privacy Protection Authority (IMY) has received complaints regarding Verifiera AB's
                                (Verify or the company) services. IMY has subsequently on its own initiative initiated supervision of

                                Verify against the background of the description of its services (hereinafter "the Services") which
                                the company has provided on its website www.verifiera.se (hereinafter the "Website"). 2


                                The purpose of the inspection was to investigate whether Verify through the provision of
                                The services:


                                     • publishes sensitive personal data in such a way as referred to in ch. 1. 20
                                         § YGL,

                                     • processes personal data in a manner that is compatible with the principles of
                                         legality, correctness, transparency, purpose limitation and data minimization
                                         (Article 5 of the Data Protection Regulation),

                                     • has support in some legal basis for the processing of personal data (Article 6 i
                                         the data protection regulation), and
                                     • processes information about health, i.e. sensitive personal data in that sense

                                         as referred to in article 9.1 of the data protection regulation, and in that case if any of
                                         the exceptions in Article 9.2 of the Data Protection Regulation from the prohibition of
                                         processing of such data is applicable.


                                The supervision has taken place through review of the information that Verifiera entered

                                the services on the Website and correspondence.









                                1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
                                regarding the processing of personal data and on the free flow of such data and on the cancellation of
                                directive 95/46/EC (General Data Protection Regulation).
                                2For a description of the services, see below under the headings "Information about the Services on the Website" and "What
                                Verifiera AB has stated". Privacy Protection Agency Diary number: IMY-2022-1621 4(28)
                                Date: 2022-09-13






                                Information about the Services on the Website


                                On April 6, 2022, IMY reviewed and documented the information as Verify
                                provided about the Services on the Website. The documentation has been communicated with

                                Verify and its accuracy has not been questioned by the company. It shows the following.

                                The start page shows example images of how a search in the legal database might look. At

                                personal search there are special search fields for "Name", "Social security number", "City/Address" and
                                "Free text search".


                                On "www.verifiera.se/tjanster" the following appears:

                                   "How does Verifiera's service take GDPR into account? Verify and our services follow

                                   of course the laws, rules and regulations that apply. Verify has proof of issue
                                   and is thereby constitutionally protected according to the Freedom of Expression Act (YGL), which
                                   means that the GDPR (Data Protection Regulation) is not applicable to Verify or

                                   Verified services. To Verify has proof of publication and is constitutionally protected
                                   further means that it is not the Privacy Protection Authority (IMY) that is
                                   supervisory authority with regard to Verified certificate of issue, but this accrues

                                   The Authority for Press, Radio and Television. As long as our customers are in Verified
                                   web interface, our customers' use of our services is covered by the same

                                   constitutional protection. As a user, however, you must comply with GDRP just in case
                                   chooses to download and process personal data in the sense of the GDPR. For more
                                   specific questions, do not hesitate to contact our Customer Service.”


                                   “How do I know that the information is correct? Verify retrieves all documents instantly
                                   from Swedish courts and authorities. As far as the information that you can

                                   find in Verified's legal database extremely reliable. To be verified legal database
                                   updated in real time ensures you always get the latest, updated
                                   the information. Some changes to the information that appears in the public records

                                   the actions do not take place.”

                                   “How extensive is the background information? A background check report can

                                   at the customer's request include either only legal information or both
                                   legal as well as financial information. The legal information extends back i
                                   the time until the year 2008 and includes all legal public documents for a certain legal

                                   or natural person. The financial information includes historical debt balances
                                   as these are registered with the Kronofogden, the most recent taxation years from
                                   The Tax Agency and any payment orders.


                                   Furthermore, background checks cover personnel such as marital status, management

                                   position and, if desired, driver's license permit."

                                On "www.verifiera.se/bakgrundskontroll" the following appears:


                                   "If you do a background check on a private person who contains
                                   financial information, the person must give their consent to a

                                   background check must be possible. A copy of the information is sent to the person requested
                                   in accordance with the Credit Information Act.”





                                3 These descriptions are documented in service notes (file appendix 2 and 2.1-2.7 in the case). Privacy Agency Diary number: IMY-2022-1621 5(28)
                                Date: 2022-09-13






                                   "When a user wishes to do a background check on an individual, the user gets
                                   possibility to adjust how comprehensive it should be. The user can exclude
                                   financial information in cases where it would not be of interest.”


                                   "Depending on what need you have to do background checks, you can choose
                                   between buying background check reports piecemeal or a larger quantity

                                   reports within the framework of a subscription to Verifiera's legal database."

                                   "BACKGROUND CHECK - PIECE BY PIECE. If you only need one

                                   background check occasionally you can order a background check
                                   piecemeal. They cost SEK 1,295/piece excluding VAT."


                                   “Is everything done online? Yes, Verifiera's legal database is a digitization of Swedish
                                   public documents of courts and authorities. Our customers' searches and
                                   filtering is done in Verifiera's interface and the result is generated online in real time.”


                                   “Is it complicated to do a background check? No, you need to know
                                   social security number, organization number or personal or company name in order to

                                   do a background check. Searches based on person and
                                   organization number gives the fastest and safest results."


                                The following appears on "www.verifiera.se/abonnemang":

                                   "What does Verifiera's subscription mean? The subscription means that you get access to

                                   our easy-to-use online tool, where you get access to our entire legal database and
                                   can quickly find and share the information you are looking for.

                                   Verified business service addresses companies, authorities and others

                                   organizations with a need to carry out background checks on private individuals
                                   and companies. The service includes an easy-to-use web interface where you can quickly
                                   find and share the information you are looking for. All judgments, decisions, and

                                   diary pages are searchable in full text and can be read in their original form as PDF. We
                                   also provides API solutions for those who so desire.”


                                   "As logged into the legal database, the user can search with a number of different parameters
                                   as; social security number, organization number, name, address, legal entity and
                                   free text etc.”


                                The following appears on "www.verifiera.se/vart-werktyk":


                                   ”Verified legal database regularly collects public documents from
                                   Sweden's courts and authorities. The legal database stretches back in time to
                                   2008. In addition to judgments, legal documents such as brought charges,

                                   issued subpoenas, diary sheets, non-prosecutions and penalty orders
                                   which means that our customers can easily follow the progress of a legal case in the legal department
                                   the process. Unlike the police criminal record, Verified is not screened

                                   legal database, which ensures that you have the opportunity to decide for yourself whether a
                                   legal document is relevant to your business decision or not.”


                                On all pages, reference is made to the possibility to try Verify free of charge for 14 days,
                                both by direct link to the form to try Verify in the header and with others
                                links on the pages about starting the 14-day trial period. The Swedish Privacy Agency Diary number: IMY-2022-1621 6(28)
                               Date: 2022-09-13






                               During previous checks of the Website, IMY has observed a web page where it is described
                               which documents the legal database contains. The corresponding page no longer seems to be accessible
                               from Verified home page but the linking URL is still working per

                               on April 6, 2022. In the enumeration of target types on from the administrative rights is indicated
                               including the following:


                                   • Social security goals, i.e. cases regarding disputes with the Swedish Social Insurance Agency i
                                        matters relating to e.g. worker's compensation, parental allowance or various supports
                                        to the disabled.

                                   • LVU cases (cases according to the law with special provisions on the care of young people),
                                        i.e. goals such as is about whether minors must be looked after under duress
                                        outside their own home.

                                   • LVM cases (cases according to the Act on the care of drug addicts in certain cases), i.e. goals that
                                        is about forced care for drug addicts.
                                   • Psychiatry goals, i.e. cases dealing with matters relating to compulsory psychiatric care

                                        and forensic psychiatric care.

                               What Verifiera AB has stated


                               Opinion on 27 May 2022
                               Verifiera AB has essentially stated the following in its opinion on 27 May 2022.


                               Verifiera is a Swedish limited company with a certificate of issuance for its operations.
                               On November 2, 2016, the Authority for Radio and Television issued a release certificate for

                               Verifiera.se. The business is therefore constitutionally protected according to freedom of expression
                               the constitution. Something that is also whitewashed by IMY on the authority's website:
                               "The Data Protection Regulation (GDPR) does not affect businesses with certificates of issue."


                               It follows from the constitution that the GDPR shall not be applied to activities covered by
                               the freedom of expression basis. Even outside the scope of the Freedom of Expression Act, it is exempted

                               GDPR through the general exceptions for journalistic purposes as well as
                               motivational statements about the importance of the right to freedom of expression in a democratic society.


                               IMY's supervision involves a violation of the authority's authority and competence. To
                               IMY lacks authority and authority is also evident from the authority's response
                               website on the question of whether to submit complaints to IMY on sites that have

                               proof of issue: “No. Unfortunately, we have no way of getting those types of sites to be removed
                               information if you send us a complaint. To provide feedback regarding
                               the legislation regarding issuance certificates, we recommend that you contact the legislator,

                               in this case the Constitution Committee. They are responsible for preparing questions of
                               constitutional and administrative law significance.”


                               On the Website, Verifiera provides, within the scope of its certificate of issuance, among
                               otherwise scanned judgments obtained from Sweden's Courts. The actions are
                               public and accessible to the common man, credit companies and other equivalents
                               services, which follows from the Swedish principle of openness.


                               Verifiera is a news agency regarding, among other things, research and background checks.
                               Verifiera uses a subscription form which means that mainly different

                               types of organizations and professional actors with a need for the information on
                               The website in its professional practice, for example companies and authorities, uses
                               of the Website. Only paying users can access the material on

                               The website, after which the users can, through active measures in real time, receive information from the Integrity Protection Agency Diary number: IMY-2022-1621 7(28)
                                Date: 2022-09-13






                                and decisions which are scanned and available on the Website. Before a customer signs
                                an agreement with Verifiera, the customer can try the service for fourteen days during
                                condition that the customer undergoes a demonstration of the service. During the trial period

                                are offered access to a standard subscription.

                                Through its activities, Verifiera contributes to free and comprehensive information on an appropriate basis

                                way. Verified's business is also not unique. On the contrary, the equivalent is provided
                                service or more extensive services since a long time from well-established services (eg
                                www.infotorg.se and www.juno.se, formerly Karnov). Like these services, it is possible to

                                The website find judgments and decisions, including administrative law judgments through
                                free text search or through more specific search fields (called filters in some databases).
                                Because the documents on the Website consist of public documents that are

                                available for anyone to take part in many places other than the Website, not least
                                through other services such as or the courts or authorities themselves, thereby
                                there is no particular risk with the publication that takes place on the Website.


                                The background extension service enables customers, through a consent request from
                                the person to whom the background check relates, obtain a background check report

                                regarding any ongoing or previous legal disputes. The legal data is retrieved from
                                courts and authorities and consists of public documents. A prerequisite for one
                                such background report is that the person in question agrees to this, verification takes place

                                including bank ID. The service has no connection to the data protection regulation.

                                As for Verifiera's data and IT security, it is very high. The company has its own

                                servers located in data centers within the EU. Verify using software that is not
                                accessible via the internet which means that all services are isolated from each other as well
                                internet. Only Verified CTO and Network Administrator have access to the software.
                                In case an IP address is available from the internet, it is protected with one

                                firewall bound to specific IP addresses. All Verifiera's systems are built with
                                protection against various types of IT attacks.


                                With regard to decisions on health care, information on the state of health of individuals applies
                                strong confidentiality, which means that such information may only be disclosed if it is clear that
                                the individual or someone close to him does not suffer but. The same applies in other

                                medical activities, for example forensic and forensic psychiatric examination.
                                Judgments and decisions relating to such conditions are subject to confidentiality and the courts
                                therefore does not disclose information about health or the like. Then the judgments found on

                                The website corresponds to those at the court, the same applies to
                                the documents available on the Website.


                                Opinion on 13 June 2022
                                Verifiera AB has essentially stated the following in its opinion on 13 June 2022.


                                Introduction and general
                                Verify maintains the positions expressed in the opinion of May 27, 2022.


                                It is Verifiera's opinion that IMY lacks any right to initiate the present review
                                as well as to exercise supervision over Verify. The relationship to Verify in a more detailed way
                                answering questions regarding compliance with the data protection regulation does not mean that

                                Verify that the data protection regulation is applicable or that IMY at all
                                has the right to conduct the review that is carried out. Concepts such as "personal data
                                treatment" and more are used even if Verifiera's view is that the company's Privacy Protection Agency Diary number: IMY-2022-1621 8(28)
                               Date: 2022-09-13






                               handling of public documents does not constitute a processing of "personal data" which
                               covered by the data protection regulation.


                               The purposes of the personal data processing carried out in the services
                               Verify provides general documents to the users of the Services for the purpose of
                               carry out their constitutionally protected activities and in a wider sense promote a

                               all-round information and a free opinion formation.

                               Who decides on the purposes and means of the processing in the respective service

                               Verify decides on the purposes and means of the "personal data processing" of
                               The services. Verifiera would like to point out, however, that from a journalistic point of view it is
                               the user who decides on the purposes, in the same way as a newspaper reader himself

                               determines the purpose when this takes part in a published journal, and not
                               the newsroom that published the newspaper.


                               If consent is collected from affected persons before processing in any of the services
                               Consent in the sense referred to in article 6.1 a of the data protection regulation, and
                               express consent in the sense referred to in 9.2 a, is collected in connection with

                               background checks in the Background Supplement Service from the person to whom the check applies.
                               The service enables customers, through a consent request from the person who
                               the background check refers to obtaining a background check report regarding any

                               ongoing or past legal disputes. The legal data is taken from courts and
                               authorities and consists of public documents. A prerequisite for such
                               background report is that the person in question agrees to this and verification takes place among

                               other with bank ID. Consent is not otherwise collected.

                               Legal basis for the processing and circumstances showing that it is valid
                               The processing in the Services is necessary to protect the interests of

                               fundamental importance for the data subject or for another natural person, i.e.
                               the public's right to freedom of expression and access to public documents, etc.


                               The processing in the Services is necessary for purposes related to Verified eligible
                               interest in being able to run their constitutionally protected activities within the framework of their
                               certificate of issue.


                               The processing in the Services is necessary for purposes that concern the common man
                               legitimate interest in, within the framework of Verifiera's constitutional protection, being informed of

                               public documents available in the Services.

                               In the present case, the interests of the "registered" do not outweigh the right to freedom of expression.

                               hot. The documents found in the Services are available through several others
                               sources. The type of court decision in question should be uninteresting then
                               courts have to apply confidentiality to the extent that information about health is present.


                               If information about health in the sense referred to in Article 9.1 is processed
                               Verifiera has understood it to mean that IMY's review refers to information in

                               court decisions from the general administrative courts.

                               Administrative courts rule over a wide range of legal areas, the majority of which are Torde

                               lacking any relevance for IMY such as cases of tax, PBL, migration, legality review,
                               driver's license interventions, different types of permits, foundations, land and environment, animal welfare,
                               public procurement etc. The Swedish Privacy Agency Diary number: IMY-2022-1621 9(28)
                                Date: 2022-09-13






                                IMY has not specified in more detail exactly which target types they think it can contain
                                "sensitive personal data", however some exemplification has been done. Furthermore, IMY has not
                                asserted the extent to which they believe such targets contain “sensitive

                                personal data" but seem to draw all exemplary target types under the same roof,
                                an order that Verify questions.


                                It is possible that some target types may, to an unknown extent, contain data
                                regarding people's health. However, as stated above, the courts have to follow one
                                strict confidentiality regarding health and similar information. Is a judgment from one

                                administrative court public (and not protected by secrecy), are also data, in it
                                to the extent such are apparent, public. Courts are generally reticent to state
                                data that can in any way be described as "sensitive". The courts limit

                                the information in judgments to the level necessary to explain the outcome i
                                the target. To the extent that a court decision nevertheless contains information that can
                                is designated as "sensitive", the processing is necessary, among other things, with regard to a

                                important public interest on the basis of Swedish law. The treatment done by
                                Verify is commensurate with the purpose pursued and is also consistent with the how
                                rules on data protection must be processed within the constitutionally protected area.


                                What information is provided to the persons concerned
                                Verifiera provides information about the content on Verifiera.se to its users. One

                                registered has the opportunity to become a user on Verifiera.se and can thus take part in
                                the public documents available there.


                                If users of the Background Check service receive information that they are wanted
                                the person appears as the appellant in cases of compulsory psychiatric care
                                Users of the Services get access to the information available on the Website and that
                                including any judgments that may affect them. Information about judgments

                                provided on the Website is clearly stated.

                                Regarding the background control function, refer to what was stated above.


                                Any changes made to the Services compared to the description which
                                appeared on the website on April 4, 2022

                                No changes have been made. To the extent that a law is issued on prohibitions regarding
                                personal data relating to health, Verifiera will review its operations on
                                expedient manner.


                                Addendum regarding ch. 1 Section 20 YGL
                                From the wording of ch. 1. Section 20 YGL states that the YGL does not prevent it from being announced by law

                                regulations on prohibition of publication of personal data. In the preparatory work for ch. 1.
                                Section 20 YGL does not state that the data protection regulation would be applicable to
                                the provision. That would have been the case if it was intended that it, contrary to the provision

                                wording, would accommodate other laws on prohibition. By comment to YGL on Juno
                                it appears that the delegation provision has not been followed up by any legislation.


                                It is not possible to interpret a constitution for its purpose.

                                It is not possible to see what consequences a possible negative decision may have and the legal situation afterwards

                                such a decision will be highly unclear. A legally secure course of action would have been to
                                await a possible law of prohibition before starting a review. Then had Verify
                                had knowledge of the legal situation and the content of any prohibition. Verify had then

                                able to act and adapt accordingly. Current review lacks all forms of the Privacy Protection Agency Diary number: IMY-2022-1621 10(28)
                               Date: 2022-09-13






                               predictability and legal certainty. Verified's view is that the review as such
                               and any negative decision containing corrective measures may constitute
                               abuse of authority.


                               The Credit Information Act – a comparative outlook
                               In the constitutions, there are provisions regarding credit information activities (which
                               includes operations with certificates of issue) that do not prevent it from being notified

                               regulations on the prohibition of such activities in certain specific situations.

                               Such regulations have, with the support of delegation provisions in the constitution, been introduced in
                               the Credit Information Act, whereby special references are expressly made to

                               the data protection regulation and the data protection act. It also expressly states that IMY
                               is the supervisory authority.


                               In these respects, IMY thus derives its authority from law and has through
                               express provisions in law introduced with the support of delegation provision right
                               to apply the data protection regulation in certain expressly stated respects.


                               All this is missing now. In the present case, the delegation provision in ch. 1. Section 20 YGL
                               has not been utilized and IMY lacks both the authorization and the authority to review Verified
                               constitutionally protected activities.


                               Especially about other databases
                               As stated above, Verifiera's business is not unique. Corresponding service or

                               more comprehensive services are provided by long-established services.

                               As a result of IMY's review, Verifiera has carried out searches for such
                               well-established services, for example juno.se. On juno.se, Verifiera has received hits on

                               wanted social security numbers, names and addresses. These search results show Verified
                               operations follow the industry standard for operations with certificates of issue and that
                               If verified, the activity is not improper, on the contrary, the activity is essential in everything

                               the same as with the market-leading companies in the industry.

                               A decision that the data protection regulation is applicable would have unforeseeable consequences
                               consequences for the entire industry. In light of this and what is stated in

                               paragraph above, it is very strange that IMY chooses to turn to Verify instead of
                               the well-established market-leading companies in the industry as is customary.


                               Limitation of the trial frame i

                               the review


                               Against the background of the nature of the matter - including the answers that Verifiera has
                               provided – IMY limits its examination of the Services during the relevant period to


                                   • about 1 ch. § 20 YGL is applicable regarding the collection of data in the Services,
                                   • on the exception for journalistic purposes ch. 1 Section 7, second paragraph of the Act
                                        (2018:218) with supplementary provisions to the EU's data protection regulation
                                        is applicable for the processing in the Services and

                                   • if the company processes personal data about health in the sense referred to in
                                        Article 9 of the Data Protection Regulation by including rulings in cases under
                                        the law on compulsory psychiatric treatment and according to the law on treatment of drug addicts in the Privacy Protection Agency Diary number: IMY-2022-1621 11(28)
                                 Date: 2022-09-13







                                          certain cases in the data collection and, if so, whether the processing is compatible
                                          with Article 9.


                                 The review therefore does not cover whether Verified is processing personal data in the Services
                                 is otherwise compatible with the data protection regulation. The trial also does not cover one

                                 assessment about Verify, by disclosing in the Services financial information about
                                 private persons, conducts credit reporting activities and if this is the case

                                 compatible with the provisions of the Credit Information Act (1973:1173) and data protection
                                 the regulation.


                                 Justification of the decision


                                 Legal background


                                 EU law's regulation of the relationship between the right to protection of personal data

                                 and the right to freedom of expression and information
                                 The purpose of the Data Protection Regulation is to protect personal integrity in

                                 processing of personal data and harmonizing the data protection regulation in order to
                                 enable a free flow of personal data within the EU. In the data protection regulation
                                 specifies the fundamental right to protection of personal data which is established in

                                 Article 8 of the Charter of Fundamental Rights of the European Union (below
                                 the charter). According to Article 8.1 of the charter, everyone shall have the right to protection of the

                                 personal data concerning him or her. According to Article 8.2, personal data must
                                 processed lawfully for specific purposes and on the basis of the data subject

                                 consent or any other legitimate and lawful basis. Everyone has the right to receive
                                 access to collected data concerning him or her and to have it rectified. IN
                                 Article 8.3 stipulates that an independent authority must check that these rules

                                 is complied with. A right that is closely linked with the right to protection for
                                 personal data is the right to respect for private life and family life which is laid down in Article

                                 7 of the charter.

                                 Article 11 of the charter establishes the right to freedom of expression and information. There it is stipulated that

                                 everyone has the right to freedom of expression. It is further stipulated that this right includes
                                 freedom of opinion and freedom to receive and disseminate information and thoughts without public

                                 authority involvement and independence from territorial boundaries.

                                 Neither the right to protection of personal data nor the right to opinion and

                                 freedom of information are absolute rights. Article 52.1 of the charter states that
                                 limitations in the exercise of the rights and freedoms recognized in the charter shall

                                 be prescribed by law and compatible with the essential content of these rights
                                 and freedoms. Furthermore, it is stated that limitations, taking into account proportionality

                                 principle, may only be done if they are necessary and actually meet the objectives of
                                 public interest recognized by the Union or the need for protection of others
                                 people's rights and freedoms.


                                 Against this background, the Data Protection Ordinance has been designed with regard to other freedoms

                                 and rights other than the right to protection of personal data, including opinion and
                                 freedom of information. The task of balancing these two rights has essentially
                                 handed over to the member states within the framework of the regulation in article 85. In article 85.1


                                 4See article 1 of the data protection regulation and i.a. recital 10 to the regulation.
                                 5 Cf. recital 1 to the data protection regulation.
                                 6See recital 4 of the data protection regulation.
                                 7 Cf. the EU Court's judgment Buivids, C-345/17, EU:C:2019:122, p. 50. Data Protection Agency Diary number: IMY-2022-1621 12(28)
                                 Date: 2022-09-13






                                 the data protection regulation stipulates an obligation for member states to harmonize

                                 the right to privacy according to the data protection regulation with opinion and
                                 freedom of information, including processing that takes place for journalistic purposes or

                                 for academic, artistic or literary creation. According to Article 85.2 shall
                                 Member States, for processing that takes place for journalistic purposes or for

                                 academic, artistic or literary creation, establish exceptions or deviations
                                 from chapter II (principles), chapter III (data subject's rights), chapter IV

                                 (personal data controller and personal data assistant), chapter V (transfer of
                                 personal data to third countries or international organizations), Chapter VI

                                 (independent supervisory authorities), Chapter VII (cooperation and consistency) and Chapter IX
                                 (special situations when processing personal data) if these are necessary for

                                 to reconcile the right to privacy with freedom of expression and information.

                                 Article 52 of the statute and Article 85 of the data protection regulation thus set limits for

                                 how Member States may combine the right to the protection of personal data with the right to
                                 freedom of expression and information. That the rights must be combined means that one of

                                 the rights must not be given a general priority over the other. Further get exceptions
                                 from the right to protection of personal data according to the data protection regulation only take place if
                                                                                           8
                                 the exceptions are necessary to unify the rights. The European Court of Justice has stated that
                                 to make a balanced trade-off between the fundamental rights is required

                                 that exceptions and limitations in relation to the protection of personal data do not apply
                                 beyond the limits of what is strictly necessary. This statement was directive
                                           10
                                 95/46/EG , which was replaced by the data protection regulation, but is according to IMY's assessment
                                 relevant also in relation to the data protection regulation.


                                 The European Court of Justice has also ruled that in order to take into account the importance of freedom of expression i

                                 democratic societies, the concepts associated with this, including
                                 journalism, interpreted in a broad sense. This means, among other things, that exceptions from and

                                 limitations of the data protection regulation should not only apply to media companies,
                                 but on all persons who are active in journalism. It is clear from the court's practice
                                 further that "journalistic activity" is such activity that aims to disseminate

                                 information, opinions or ideas to the public, regardless of the medium
                                 this happens.11


                                 The Swedish Data Protection Act's exception for freedom of expression and information

                                 In Swedish law, regulations based on Article 85 of the Data Protection Regulation have
                                 announced in ch. 1 Section 7 of the law (2018:218) with supplementary regulations to the EU's

                                 data protection regulation (hereinafter the data protection act).


                                 In ch. 1 Section 7, first paragraph, of the Data Protection Act, an exception is made for such processing as
                                 covered by the Freedom of Press Ordinance (TF) and the Freedom of Expression Act (YGL), below

                                 collectively referred to as the basic media laws. The said provision states that
                                 the data protection regulation and the data protection act shall not be applied to the extent that

                                 would conflict with TF or YGL. According to the preparatory work, it is thereby made clear that
                                 the basic media laws take precedence over the data protection regulation and
                                                                     12
                                 the provisions of the Data Protection Act.




                                 8 Cf. ECJ judgment Buivids, C-345/17, EU:C:2019:122, p. 63.
                                 9
                                 10th ECJ judgment Buivids, C-345/17, EU:C:2019:122, p. 64.
                                  Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with
                                 11 regarding the processing of personal data and the free flow of such data.
                                  See ECJ judgment Buivids, C-345/17, EU:C:2019:122, pp. 51–53.
                                 1 See prop. 2017/18:105, p. 187. The Swedish Privacy Agency Diary number: IMY-2022-1621 13(28)
                                Date: 2022-09-13






                                The basic media laws provide far-reaching protection for freedom of expression and information.

                                For example, according to the so-called instruction, the person who is to judge abuse should
                                of the freedom of the press and expression – or in other ways watch over that the constitutions are complied with
                                - always bear in mind that the freedom of the press and expression are the foundations of a free

                                social condition, always pay attention to the subject and the thought more than the expression
                                illegality, as well as the purpose more than the method of presentation and in doubtful cases rather
                                free from trap (ch. 1 § 10 TF and ch. 1 § 15 YGL). Furthermore, an authority may not

                                prohibit or impede such provision due to its content, without support i
                                the constitution, the so-called obstruction ban (ch. 1 § 11 YGL). In addition, an authority gets
                                nor intervene against anyone for abuse of freedom of expression, unless there is support for it

                                the intervention in the constitution (ch. 1 § 14 YGL).

                                In ch. 1 Section 7, second paragraph of the Data Protection Act, exceptions are made for opinion and

                                freedom of information outside the constitutionally protected area. The exception includes
                                processing of personal data that takes place for journalistic purposes or for
                                academic, artistic or literary creation. It could, for example, be a matter of

                                journalistic activity conducted in blog form but without proof of publication. IN
                                the provision states that Articles 5–30 and 35–50 of the EU Data Protection Regulation and

                                2–5 chap. The Data Protection Act shall not be applied to processing that takes place for e.g.
                                journalistic purposes. The exception means that the data protection regulation and
                                the provisions of the Data Protection Act on supervision, remedies, liability and sanctions i

                                the practice is applicable only to the extent of supervision of or violations of
                                the provisions on security for personal data. 13


                                The basic regulation on voluntary issuance certificates
                                Because the exception in ch. 1 Section 7 first paragraph of the Data Protection Act shall be applicable

                                it is required that it is a question of treatment that is covered by constitutional protection according to
                                the media fundamentals. As a general rule, publications on the internet fall outside YGL's scope
                                scope of application. This means that the data protection regulation is normally

                                applicable to such processing. However, exceptions to the main rule are made through among
                                otherwise the database rule (ch. 1 § 4 YGL). For the processing of personal data such as
                                covered by the database rule, the data protection regulation, according to ch. 1 Section 7 first paragraph

                                the Data Protection Act, is not applied to the extent it would conflict with
                                the freedom of expression basis.


                                Under certain conditions, the database rule provides constitutional protection for statements that take place
                                through provision to the public from databases. What is typically meant is
                                provision of stored information from websites upon request. For some

                                actors apply the constitutional protection automatically, i.e. without anyone special
                                action needs to be taken. This is the case for periodicals and editorial boards

                                for programs. Also other traditional mass media companies, such as book publishers
                                that publish printed books and news agencies, have automatic constitutional protection for theirs
                                databases. Other actors have the opportunity at the Norwegian Press, Radio and Television Authority

                                apply for a certificate of issue and thus receive so-called voluntary constitutional protection (cf. 1
                                Cape. § 4 first paragraph 1 d and § 5 YGL). In the case of an application for a certificate of issue, this is done
                                not any examination of the content or purpose of the database.


                                The voluntary constitutional protection for databases was introduced in 2003 following a development which

                                meant that other than the traditional mass media companies to an ever greater extent
                                had started providing information to the public on the Internet. Other media companies
                                and individuals had become involved in news reporting, opinion formation and

                                the enlightenment, and the new communication was considered necessary for

                                13 See prop. 2017/18:105, p. 187.
                                14 Prop. 2021/22:59, p. 30. The Swedish Privacy Agency Diary number: IMY-2022-1621 14(28)
                                Date: 2022-09-13







                                freedom of expression and freedom of information. Against this background, the government did
                                the assessment that there were reasons to offer constitutional protection equivalent to that which
                                                                                                                   15
                                previously had been reserved for the mass media companies also for the new actors. But
                                already when the voluntary constitutional protection was introduced, the constitutional committee warned

                                so that conflicts with the protection of personal integrity could arise
                                and pointed out in particular that the constitutional protection could in the worst case include

                                databases that are pure personal records. The Constitution Committee therefore considered that
                                the government should further analyze or have analyzed whether the voluntary

                                constitutional protection could come into conflict with the provisions intended to protect
                                the personal integrity. The Riksdag agreed with the committee's assessment and
                                                                   17
                                announced this to the government.


                                The Free Speech Committee was tasked with analyzing the issue, but did
                                the assessment that there was no need for constitutional amendments. The year 2014 gave

                                the government Media Basic Law Committee tasked with re-investigating the issue.
                                The Media Basic Law Committee made the assessment that there were reasons to restrict

                                constitutional protection for certain types of search services and instead allow regulations on
                                team level. The Committee therefore proposed an express exception in TF and YGL for some

                                search services that provide sensitive personal data (among other things such as
                                revealing political or religious views or relating to health and sexual life) and information
                                                            19
                                about legal violations, etc. The government agreed with the committee's assessment and
                                proposed changes in TF and YGL in accordance with the committee's proposal. 20


                                The Riksdag adopted the government's proposal for amendments to TF and YGL in that part of the amendments

                                referred to data collections with sensitive personal data but rejected the proposal in that part
                                it concerned personal data on legal offences. However, the Riksdag announced for

                                the government that an inquiry should be commissioned to re-investigate the question of whether
                                limit the constitutional protection of search services that contain personal information that

                                individuals have committed legal offences, appear in convictions or have been
                                subject to criminal procedural coercive measures. 21


                                On January 1, 2019, the amendment to the basic media laws entered into force (ch. 1. 13 TF and 1

                                Cape. § 20 YGL). It is clear from these provisions that the provisions of the YGL do not
                                prevents regulations being issued by law prohibiting the publication of

                                personal data about, among other things, health (Chapter 1 § 20 first paragraph 2 YGL). This applies
                                only if the personal data is included in a data collection that has been arranged so that it is

                                possible to search for or compile these (chapter 1 § 20 second paragraph 1).
                                In addition, it is required that with regard to the business and the forms under which

                                the data collection is kept available, there are special risks of improper intrusions
                                the personal integrity of individuals (Chapter 1 § 20 second paragraph 2).


                                The government gave, in accordance with the Riksdag's announcement, the 2018 print and

                                freedom of expression committee tasked with investigating the question of a restriction of
                                the constitutional protection for data collections with information about legal violations, etc.
                                The committee presented proposals which meant that the existing delegation provisions

                                if sensitive personal data would be supplemented in such a way that personal data about
                                offenses were added to the list of categories of personal data that can



                                15 Prop. 2001/02:74, pp. 47–48.
                                16 Bet. 2001/02:KU21, p. 32.
                                SEK 17 2001/02:233.
                                18SOU 2009:14 and SOU 2012:55.
                                19
                                20SOU 2016:58.
                                21 Prop. 2017/18:49, p. 144.
                                  See bet. 2017/18:KU16 and 2018/19:KU2, SEK 2017/18:336 and 2018/19:16. Data Protection Agency Diary number: IMY-2022-1621 15(28)
                                 Date: 2022-09-13







                                 regulated by common law. The committee also proposed certain other changes in
                                                                                               22
                                 the design of the existing delegation provision. The government presented
                                 proposal for changes in ch. 1 § 13 TF and ch. 1 § 20 YGL in accordance with the committee's
                                        23
                                 suggestions. However, the Riksdag rejected these proposals with the exception of a correction of
                                 linguistic inaccuracies in the regulations. 24


                                 The interpretation of ch. 1 Section 20 YGL and IMY's authority


                                 According to ch. 1 § 20 first paragraph 2 YGL does not prevent the provisions of YGL that in law

                                 regulations are issued on the prohibition of publication of personal data about among

                                 other health. The first question that IMY has to decide on is thus whether
                                 the provisions of the data protection regulation constitute such prohibition regulations

                                 announced in law referred to in ch. 1. Section 20 YGL.


                                 IMY makes the assessment that the expression regulations in law in ch. 1. § 20 YGL covers EU-
                                 regulations and that regulations on prohibitions in ch. 1. § 20 YGL does not only cover clean

                                 ban on the publication of personal data but also regulations that are smaller

                                 intervention and which limit the possibility of publishing personal data. IMY does
                                 this assessment for the following reasons.


                                 When the expression "law" is used in Swedish constitutions in the way that occurs in ch. 1 Section 20
                                                                                                                    25
                                 YGL the term normally covers EU regulations without being specified in the legal text. Of
                                 the preparatory work for ch. 1 Section 20 YGL states that this provision must also be interpreted accordingly

                                 this way. It states that EU regulations are equalized by law, according to the practice which
                                 developed in connection with the existing delegation provision. It is further stated that

                                 the provision also includes an opportunity to prescribe measures that are smaller
                                                       27
                                 intervention than prohibition. Similar statements are made in the legislative matter of corollary
                                 changes in ordinary law to the changes in the basic media laws. It states that

                                 the provisions of the Data Protection Ordinance and the Data Protection Act would regulate them
                                 data collections with personal data covered by the proposed exceptions

                                 the provisions of the Freedom of the Press Ordinance and the Freedom of Expression Act (i.e. ch. 1
                                 § 13 TF and ch. 1 § 20 YGL). Also in the bill that was prompted by

                                 the report from the 2018 Press and Freedom of Expression Committee states that
                                 the provisions of the data protection regulation constitute such regulations in law as referred to in

                                 1 ch. Section 20 YGL. This means that the data protection regulation must be applied in those cases

                                 the conditions in ch. 1 § 20 YGL are fulfilled. In other words, exceptional
                                 the provision in ch. 1 § 7 first paragraph of the Data Protection Act not applicable to such

                                 processing because an application of the data protection regulation would not conflict with
                                 YGL.


                                 IMY is a supervisory authority according to the data protection regulation and thus authorized to exercise

                                 supervision of such treatment that is exempt from constitutional protection according to ch. 1 Section 20
                                 YGL. This means that IMY has the authority to try whether ch. 1. § 20 YGL is applicable





                                 2SOU 2020:45.
                                 2 Prop. 2021/22:59.
                                 2Bet. 2021/22:KU14 appendix 3, SEK 2021/22:283.
                                 25
                                  See e.g. prop. 2017/18:105, pp. 27, 127, 130 and prop. 2020/21:172, p. 258. Cf. also see prop. 1999/2000:126, p.
                                 135 f. and 272.
                                 2 Prop. 2017/18:49, p. 147 f., 154, 188 and 255. See also SOU 2016:58, p. 406.
                                 2 Prop. 2017/18:49, pp. 188 and 255. See also SOU 2016:58 p. 406.
                                 2 Prop. 2021/22:59, p. 39 f. and Ds 2017:57, p. 118.
                                 2 Prop. 2021/22:59, p. 39 f.
                                 Section 33 of the regulation (2018:219) with supplementary provisions to the EU's data protection regulation and Section 2 a
                                 the regulation (2007:975) with instructions for the Swedish Privacy Agency. Swedish Privacy Agency Diary number: IMY-2022-1621 16(28)
                                 Date: 2022-09-13






                                 on a certain processing to clarify whether the data protection regulation is applicable
                                           31
                                 or not.


                                 The exception in ch. 1 § 20 YGL is applicable


                                 In order for the delegation provision in ch. 1 § 20 YGL shall be applicable to the person in question
                                 the processing of personal data in the Services requires that the following three conditions are met:


                                 1) that sensitive personal data is made public (first paragraph),


                                 2) that the data is part of a collection of data that has been arranged so that it is possible to

                                 search for or compile these (second paragraph 1) as well as

                                 3) that with regard to the business and the forms in which the data is collected

                                 is kept available, there are particular risks of improper intrusion into individuals' personal
                                 privacy (second paragraph 2).


                                 Personal information about health is made public

                                 IMY states at the outset that the information included in the Services is published on
                                 the way referred to in ch. 1. Section 20 YGL. The next question is about the data that Verify

                                 provides through the Services contain such personal data as specified in 1
                                 Cape. § 20 YGL first paragraph. As stated above, IMY has limited its review to

                                 rulings in cases in the general administrative courts under the Psychiatric Act
                                 compulsory care (LPT), so-called psychiatry cases, and according to the law on the care of drug addicts in some cases

                                 (LVM), so-called LVM targets. The sensitive personal data that may primarily appear in
                                 such rulings are information on health according to ch. 1. § 20 YGL first paragraph 2.

                                 According to the preparatory work, the concept of personal data on health has been taken from Article 9.1 i
                                 data protection regulation and shall be given the same meaning as in the regulation. 32


                                 Data on health is defined in Article 4.15 of the Data Protection Regulation as

                                 personal data relating to a natural person's physical or mental health, including
                                 provision of healthcare services, which provide information about his
                                 health status.


                                 The European Court of Justice has ruled that the special categories of personal data specified

                                 in Article 9 of the Data Protection Regulation, i.a. information about health, must be given a broad interpretation.
                                 According to the European Court of Justice, it is sufficient that the data indirectly discloses sensitive information to
                                                                                                 33
                                 to be covered by the protection in Article 9 of the Data Protection Regulation. Further includes, according to
                                 The European Court of Justice, the concept of "data on health" all aspects of a person's health,
                                                                       34
                                 both physical and psychological ones. The European Data Protection Board (EDPB) has
                                 stated that the concept of "information about health" should be interpreted broadly and includes, among other things

                                 information collected by healthcare providers in a patient record (e.g. medical history
                                 and results of examinations and treatments). 35


                                 Verifiera's own information shows that the company provides all of the Services

                                 rulings in psychiatry cases and LVM cases from the general administrative court since 2008
                                 in unchanged condition.



                                 31 Prop. 2021/22:59, pp. 53–54.
                                 32
                                 33 Prop. 2017/18:49, p. 188.
                                 34 ECJ judgment Vyriausioji tarnybinės etikos komisija, C-184/20, EU:C:2022:601, pp. 125–128.
                                 35 ECJ judgment Lindqvist, C-101/01, EU:C:2003:596, p. 50–51.
                                   Guidelines 3/2020 on the processing of data on health for scientific research purposes in connection with covid-
                                 19 outbreak, p. 7–8. The Swedish Privacy Agency Diary number: IMY-2022-1621 17(28)
                                Date: 2022-09-13






                                Section 3 of the LPT states that compulsory care according to that law may only be given if the patient is suffering
                                of a serious mental disorder and if certain other conditions are met. According to § 4 LVM
                                mandatory care must be ordered according to that law for someone as a result of ongoing abuse

                                of alcohol, drugs or volatile solvents is in need of care to get away from
                                his abuse and certain other prerequisites are met.


                                IMY finds that information that someone is or has been the subject of compulsory care with support
                                of LPT or LVM - which means that the prop "suffers from a serious mental disorder"
                                or props "as a result of ongoing abuse of alcohol, drugs or fugitives

                                solvent is in need of care to get out of their addiction” is fulfilled – is
                                information about health in the sense referred to in ch. 1. Section 20 first paragraph 2 YGL and
                                article 9.1 of the data protection regulation. That the actual diagnosis or cause as well

                                appears is not a prerequisite for this assessment.

                                The decisions of the general administrative courts mainly refer to review of

                                authorities' decisions after appeals by individuals. Some particularly drastic decisions
                                however, is tried or made there without the individual having appealed any decision, either
                                after the authority that made the decision submitted it to judicial review or applied

                                about the decision to be made. This applies, among other things, to psychiatric cases, where a patient who
                                is subject to compulsory care can appeal certain decisions connected to the care to
                                the administrative rights (see §§ 32 and 33 LPT) while certain more intrusive decisions must

                                is subject to review by the administrative court (see e.g. § 12 LPT) or is only taken after
                                the authority's application to the administrative court (see e.g. § 7 LPT), regardless of the individual
                                attitude. This also applies to LVM cases, where the court decides to prepare for compulsory care

                                according to LVM (see § 5) or review decisions on immediate care according to LVM
                                after submission (see §§ 15 and 17).

                                Cases in the general administrative courts are decided by judgment or decision

                                (collectively referred to as rulings). Such rulings must state the reasons as determined
                                the end (section 30 second paragraph of the Administrative Procedure Act [1971:291]). Further shall i
                                the decision states the parties (i.e., among other things, who has complained or who is subject

                                for the application or the subordinated decision), the matter in brief and to the extent that
                                an account of the judgment or decision which has been appealed is needed or
                                subordinated (Section 13 of the Ordinance [2013:390] on cases in general administrative court).


                                Against this background, IMY states that the general administrative courts
                                rulings in psychiatry cases and LVM cases typically contain information about health

                                the person who is the subject of compulsory care, i.e. the person who has
                                appealed the decision which has been made with the support of the respective law or which is the subject
                                for the application or the subordinated decision without appeal.


                                Because such rulings in their unaltered state are provided by Verify Through
                                The services are the criterion in ch. 1. Section 20 first paragraph YGL to sensitive personal data

                                published fulfilled.

                                The data collection has been arranged so that it is possible to search for or

                                compile sensitive personal data
                                The second question that IMY must decide on is whether the sensitive data is included in a
                                collection of information that has been arranged so that it is possible to search for or compile

                                these (chapter 1 section 20 second paragraph 1 YGL).

                                Initially, it is stated that the word "data collection" in YGL was chosen to avoid

                                confusion with the term "register", which is what is meant in normal parlance. The Swedish Privacy Agency Diary number: IMY-2022-1621 18(28)
                                 Date: 2022-09-13







                                 According to the preparatory work, no large amount of data is required, but there must be

                                 personal data relating in any case to more than one person and the data must be
                                 sorted according to some kind of system. 36


                                 Verifiera has stated that all decisions from 2008 onwards exist and have been made

                                 searchable in the Services and, when asked, did not provide detailed information about that number
                                 decisions that are actually processed. IMY has therefore obtained the official statistics which

                                 The Courts Agency has brought up settled cases in the general administrative courts.
                                 Verifiera has had the opportunity to comment on this basis but has not submitted anything
                                           37
                                 opinion. The statistics show that during the period 2008–2021 there is a total of approx
                                 210,000 decisions, of which approx. 193,000 (approx. 13,800 per year) in psychiatric cases and approx. 188
                                                                    39
                                 000 (approx. 1,300 per year) in LVM cases for rulings in the administrative courts alone. Also
                                 if it can be assumed that some of these rulings apply to the same people, it can

                                 it is established that it involves a large amount of information about health about a large amount
                                 people. According to IMY, there is no doubt that it is such a case

                                 data collection referred to in ch. 1 Section 20 second paragraph 1 YGL.


                                 With regard to the expression “arranged so that it is possible to search for or compile

                                 the tasks" it is stated in the preparatory work that the data collection does not need to have been structured on
                                 a way that facilitates searching for exactly the personal data covered

                                 the provision. For the provision to become applicable, it is sufficient that
                                 the data collection provides the opportunity for free text searching. 40


                                 Verifiera's own information shows that it is possible to search in the Services

                                 the data collection through free text search as well as through special fields for searches
                                 on name, social security number, city and address. The data collection has thus been arranged as follows

                                 that it is possible to search for or compile sensitive personal data in that way
                                 as referred to in ch. 1 Section 20 second paragraph 1 YGL.


                                 There are particular risks of undue intrusions into personal privacy

                                 Applicable regulations, etc.

                                 The last question for the applicability of ch. 1. § 20 YGL on which IMY has to take a position
                                 is if there are particular risks of undue intrusions into individuals' personal integrity.

                                 According to the provision, the assessment of whether there are such special risks
                                 be done with regard to the business and the forms under which the data collection is held

                                 available (chapter 1 section 20 second paragraph 2 YGL). The implication is that the scope of
                                 the provision is narrowed down and made dependent on the risks of breaching it

                                 the personal integrity that a certain type of data collection entails. So it is
                                 only for certain qualified situations, which entail special risks of impropriety

                                 intrusion into the personal integrity of individuals covered. 41








                                 36
                                 37 Prop. 2017/18:49, p. 150.
                                   Available here https://www.domstol.se/om-sveriges-domstolar/statistik-styrning-och-utveckling/statistik/officiell-
                                 court statistics/.
                                 38Decided psychiatric cases in the administrative courts per year according to statistics from the Norwegian Judicial Agency: 13,649 (2008), 13,551 (2009),
                                 13,309 (2010), 13,267 (2011), 13,242 (2012) 12,942 (2013), 13,836 (2014), 14,034 (2015), 13,881 (2016), 13,425
                                 (2017), 14,108 (2018), 14,561 (2019), 14,594 (2020) and 14,840 (2021).
                                 39Decided LVM cases in the administrative courts per year according to statistics from the Norwegian Judicial Agency: 1,196 (2008), 1,166 (2009), 1
                                 280 (2010), 1,164 (2011), 1,126 (2012), 1,222 (2013), 1,422 (2014), 1,462 (2015), 1,391 (2016), 1,390 (2017), 1,298
                                 (2018), 1,280 (2019), 1,252 (2020) and 1,183 (2021).
                                 40 Prop. 2017/18:49, p. 189.
                                 41
                                   Prop. 2017/18:49, p. 189. The Swedish Privacy Agency Diary number: IMY-2022-1621 19(28)
                                Date: 2022-09-13






                                The government stated in the bill Amended media basic laws (prop. 2017/18:49)
                                                      42
                                including the following.


                                    "The proposal therefore means that an overall assessment must be made of the nature of them
                                    data collections that are intended to be met by the applicable legal regulation.
                                    Assessment grounds of importance should, as the committee states, be able to be

                                    the target group of the data collections, the forms of provision and the services' search
                                    and compilation functions. In this lies the fact that the data collections
                                    basic structure can be attributed importance. Services that make it possible

                                    for the public to search on e.g. name, social security number or address get
                                    information about individuals' health, sex life or occurrence of criminal convictions

                                    would normally entail such risks for undue privacy breaches that they
                                    falls within the scope of the delegation provision.


                                    […]


                                    Data collections with a so-called personal data related structure that aims to
                                    Facilitating searches for personal data normally means greater risks for
                                    undue breaches of privacy than services with a general structure that makes it possible

                                    to search for data with free text search, although the differences are not so great that
                                    they in themselves determine the applicability of the provision. Special search fields for someone or some
                                    of the personal data concerned or the possibility of obtaining a compilation of

                                    these, for example in the form of a map image, typically entail great risks for
                                    undue intrusions into personal privacy. In this context, it should

                                    normally irrelevant if the service is only available to professional operators.

                                    […]


                                    According to the government, the starting point should be that legal databases that clearly target
                                    themselves to a circle that, on professional grounds, has a legitimate need for them

                                    the current information falls outside the scope of application of the provision. At
                                    however, the assessment should also for such databases the search and

                                    compilation functions are given importance. For example, get special search fields
                                    for any or some of the personal data concerned or the possibility of obtaining one
                                    compilation of these, for example in the form of a map image, typically said

                                    entail great risks for undue intrusions into personal integrity. Such
                                    structures should normally mean that there are conditions for legislation with support

                                    of the delegation provision, even when legislation hits databases there
                                    the information is provided for a fee and the target group is professional.”

                                                                                       43
                                The Constitution Committee stated, among other things, the following:

                                    "The committee opposes making a distinction between whether a service addresses

                                    the general public or a certain professional category. A search service that caters to the broad
                                    the public can in and of itself mean a greater breach of privacy than a search service

                                    which is only open to a smaller circle, e.g. a certain occupational category. But also one
                                    search service that caters to a certain occupational category may become available for
                                    a very large number of users. The committee does not consider that the target group, i.e. the

                                    intended or actual user group, in itself must be given some meaning at
                                    the assessment of whether a collection of data falls within or outside it
                                    constitutionally protected area. The assessment should instead be made on the basis of


                                42 Prop. 2017/18:49, pp. 152–153 and 190.
                                43 Bet. 2017/18:KU16, p. 41. The Swedish Privacy Agency Diary number: IMY-2022-1621 20(28)
                                Date: 2022-09-13






                                    the purpose of the provision of the data collection and the type of data
                                    provided. Privacy breaches resulting from data collections provided
                                    with the aim of contributing to a free exchange of ideas and a free and comprehensive information can

                                    are not considered inappropriate and should therefore be excluded as a starting point
                                    the scope of the delegation provisions. The committee wishes to underline that
                                    it is very important that a significant margin be applied as to what

                                    falls within the constitutionally protected area so that the interest in freedom of expression does not get
                                    give way to the interest in protecting the privacy of individuals in borderline cases or those that are difficult to judge
                                    situations. Such an approach also gains support in the so-called the instruction i

                                    the constitutions, according to which the person entrusted to judge or watch over print and
                                    freedom of expression should always bear in mind that freedom of press and expression is a foundation
                                    for a free state of society, should always pay attention to the subject and the thought more than

                                    the expression as well as the purpose more than the method of presentation and in doubtful cases rather should
                                    free than trap. Pure search services for the provision of sensitive personal data
                                    according to the exhaustive enumeration in the provision can be said to be far from them

                                    purposes which the constitutions are to protect, and such services are thus met
                                    typically by the delegation provisions.”


                                IMY's assessment
                                According to IMY, the reported operator's statements mean the following in summary.
                                What the constitutional committee stated in connection with the constitutional amendment means that it

                                when assessing the risks of privacy breaches according to ch. 1 § 20 YGL should not
                                is any significance attached to whether a search service addresses the general public or
                                is available for a certain occupational category. Instead, an overall assessment must be made

                                taking into account, among other things, the purpose of providing the data collection,
                                the type of data provided and search and aggregation functions.
                                It should be taken into account that data collections aimed at facilitating searches for
                                in particular, personal data normally involves greater risks. However, data collections should

                                which is provided with the aim of contributing to a free exchange of meaning and a free and versatile
                                information is not considered improper and should therefore be excluded as a starting point
                                the scope of application of ch. 1 Section 20 YGL.


                                The collection of data that Verifiera provides is the result of an extensive
                                collection of judicial decisions in psychiatry cases and LVM cases that contain a lot

                                privacy-sensitive information. The collection takes place without assessment of its relevance
                                the individual decision has for e.g. the public debate or investigative journalism.
                                The result is a collection of data on everyone who has been the subject of this since 2008

                                compulsory care due to mental illness or substance abuse.

                                It also appears from the investigation that the purpose of the data collection is, among other things, to

                                provide background checks in, for example, recruitment. Treatment of them
                                the current data on health in such contexts can lead to noticeable
                                consequences for the data subjects.


                                It appears from Verifiera's own data that the data collection has been structured in this way
                                that when searching for people, there are special search fields for name, social security number, city, address

                                and free text and that search results are displayed in real time. Furthermore, it has not appeared to Verify
                                taken any measures to exclude or limit the possibility of applying to
                                data that can be directly attributed to a natural person, such as name or

                                social security number. Nor has it appeared that Verify removed or masked
                                such information in the documents. The Swedish Privacy Agency Diary number: IMY-2022-1621 21(28)
                               Date: 2022-09-13







                               According to IMY's assessment, it is a question of such a search service for the provision of
                               sensitive personal data which, in accordance with what the constitutional committee stated in

                               connection with the constitutional amendment, is far from the purposes for which the constitutions are intended
                               to protect.44


                               All in all, this means, according to IMY's assessment, that Verified publication of

                               the collection of data entails special risks for improper interference with individuals' personal information
                               integrity. Thus, the third and last criterion in ch. 1 is also § 20 YGL fulfilled.


                               Summative assessment

                               In conclusion, IMY does – even taking into account the significant
                               assessment margin as assigned by the constitutional committee – the assessment to Verify
                               provides such a data collection as referred to in ch. 1. § 20 YGL, in that part

                               the collection of information involves the publication of decisions in psychiatric cases and LVM-
                               goal. This part of the data collection is thus not protected according to YGL, which means

                               that the exception in ch. 1 Section 7 first paragraph of the Data Protection Act is not applicable to
                               the treatment.


                               The next issue that IMY has to assess is whether the exception for journalistic purposes in 1
                               Cape. Section 7, second paragraph, of the Data Protection Act is applicable to the processing.


                               The processing does not take place for journalistic purposes


                               Applicable regulations, etc.

                               Through ch. 1 Section 7, second paragraph of the Data Protection Act exempts large parts of
                               the data protection regulation for processing that takes place for, among other things, journalistic purposes

                               purpose. According to the exception, articles 5–30 and 35–50 of the data protection
                               the regulation and ch. 2–5 in the Data Protection Act applies to such processing.


                               The European Court of Justice has judged that in order to take into account the importance of freedom of expression in democratic

                               societies, the concepts associated with this, including journalism, must be interpreted
                               in a broad sense. This means, among other things, that exceptions from and limitations of
                               the data protection regulation should not only apply to media companies, but to everyone

                               persons who are active in journalism. The practice of the European Court of Justice also shows that
                               "journalistic activity" is such activity aimed at disseminating information,
                                                                                                                    45
                               opinions or ideas to the public, regardless of the medium through which this occurs.


                               At the same time, the European Court of Justice has ruled that not all information that is made available on
                               internet and which contains personal data is covered by the term "journalistic
                               Operation". The European Court of Justice has further found in the judgment Google Spain and Google that

                               a search engine provider's processing through the provision of the search engine could not
                               considered to be for journalistic purposes. 47


                               In the ministerial memorandum Consequential changes to amended media fundamental laws, it was stated

                               i.a. the following in the matter of search services with criminal convictions could be covered
                               the concept of journalistic activity.


                                   "With this assessment, it is difficult to imagine a situation where it
                                   the committee mentioned the typical case of a data collection that is hit by the exceptions i



                               44Bet. 2017/18:KU16, p. 41.
                               45 ECJ judgment Buivids, C-345/17, EU:C:2019:122, pp. 51–53.
                               46 ECJ judgment Buivids, C-345/17, EU:C:2019:122, p. 58.
                               47 ECJ judgment Google Spain and Google, C-131/12, EU:C:2014:317, p. 85. Data Protection Agency Diary number: IMY-2022-1621 22(28)
                                Date: 2022-09-13







                                    the Freedom of the Press Ordinance and the Freedom of Expression Act – one aimed at the general public
                                    pure search service regarding criminal convictions - with application of the

                                    The European Court of Justice indicated that the proportionality assessment would be considered to fail
                                    the journalist exception in the data protection act. This taking into account that the data

                                    quite obviously are very sensitive to privacy and then such a register cannot
                                    said to inform, exercise criticism and provoke debate on social issues of importance to
                                    the public. It would therefore go too far to claim that an exception from

                                    the protection of personal data in such a case is strictly necessary. That may also be considered to be the case
                                    the case of other sensitive personal data regarding, for example, ethnic background,

                                    sexual orientation or religious beliefs.


                                    As stated in section 5.2.2, it is also relevant for the search service in question
                                    contains editorial material. It would, however, be required that the connection between
                                    the personal data and the editorial feature appear clear and relevant

                                    so that the exception for journalistic activities can be invoked. Regarding
                                    the example of a private load register directed at the public is made

                                    the assessment that this cannot reasonably fall under the journalist exception simply because
                                    there are also independent articles and legal articles in connection with the register

                                    analyzes. Another arrangement would mean that privacy protection can easily
                                    circumvented in a way that cannot be considered responsive to the balanced assessment
                                    between the protection of privacy and freedom of expression as indicated by the European Court of Justice

                                    The Satakunnan goal.” 48


                                In the bill An appropriate protection for the freedom of the press and expression (prop.
                                2021/22:59, p. 54) the following was stated:


                                    "Against that background, it is difficult to imagine a situation where one
                                    data collection provided in a constitutionally protected activity is exempt

                                    from constitutional protection due to the nature of the data collection but is covered by
                                    the data protection act's journalist exception. An assessment of every conceivable situation can

                                    although of course not generally done in advance. When the delegation provisions well
                                    are applicable, it may be determined in the usual way in the individual case which requirements in

                                    the data protection regulation that the provider of the data collection needs
                                    follow."


                                The Swedish Privacy Protection Authority's assessment
                                The issue that IMY has to decide on is about the processing of personal data

                                health that Verify performs by including rulings in psychiatry targets and LVM targets i
                                The services are provided for journalistic purposes in the sense referred to in ch. 1. § 7 second
                                                                                                      49
                                paragraph of the Data Protection Act and Article 85 of the Data Protection Ordinance. It can
                                initially ascertained, in accordance with what appears from the operator's statements
                                above, that the scope for assessing that a data collection covered by ch. 1 Section 20

                                YGL is done for journalistic purposes must be considered very limited.


                                IMY further notes that the fact that a website contains certain
                                publications with a journalistic purpose does not mean that all publications on it
                                                                                     50
                                the website must be considered to have a journalistic purpose. That in connection with a
                                data collection with legal rulings there are independent articles and legal
                                analyzes thus do not automatically mean that the entire data collection has one


                                48Ds 2017:57, p. 121.
                                49 For a more extensive review of the interpretation of the term "journalistic purposes", see IMYRS 2022:2, which
                                is available here https://www.imy.se/globalassets/dokument/rattsligt-stallningstagande/imyrs-2022-2-undantaget-
                                for-journalistic-andamal.pdf.
                                50 See NJA 2001 p. 409, Ds 2017:57, p. 121 and IMYRS 2022:2, pp. 25–27. Privacy Protection Agency Diary number: IMY-2022-1621 23(28)
                               Date: 2022-09-13






                               journalistic purpose. It should be required that the connection between the personal data and that

                               the editorial element appears to be clear and relevant because the exception for
                               journalistic activity must be able to be invoked. It has not emerged in the case that it

                               there is an editorial content with a clear and relevant connection to it in the case
                               current part of the data collection with decisions in psychiatry cases and LVM cases.


                               The investigation shows that the Services aim, among other things, to provide
                               personal data for background checks of natural persons in connection with, for example
                               recruitment. According to IMY's assessment, such processing of personal data cannot

                               considered to have journalistic purposes. However, Verifiera has stated that the Services also have
                               purposes other than background checks, e.g. research. As IMY notes above, it is

                               data collection that Verify provides the result of an extensive collection of
                               legal rulings with very privacy-sensitive information. The collection takes place without
                               assessment of the relevance of the ruling for e.g. the general debate or

                               investigative journalism. There is also no processing of the rulings, e.g.
                               to remove direct personal data such as name and social security number. The result is one

                               data collection in which it is possible to search for anyone who has been the subject of since 2008
                               compulsory care due to mental illness or substance abuse. This data collection cannot
                               is considered to have the main purpose of disseminating information, opinions or ideas to

                               the public in the manner referred to in ch. 1. Section 7 second paragraph of the Data Protection Act and
                               Article 85 of the Data Protection Ordinance.


                               For the purpose of Verify stated that the activity is necessary for the common man
                               legitimate interest in obtaining access to public documents, there is reason to underline

                               that the relationship that the public may have a legitimate interest in taking part in
                               public documents in an easily accessible way does not in itself mean that Verifiera has one
                               journalistic purpose with its treatment. The European Court of Justice stated in the judgment

                               Google and Google Spain that the public could have a legitimate interest in participating
                               information by searching a person's name in a search engine. At the same time beat
                               the court held that the search engine provider could not invoke the exception for

                               journalistic purposes when processing personal data in such searches. This
                               applied according to the court even in cases where the search hit referred to a newspaper article and in itself had
                                                       52
                               journalistic purposes. According to IMY's assessment, the business Verifiera is located
                               conducts through the relevant part of the data collection in the case, on the corresponding
                               way as a search engine provider's business, outside of the journalistic exception

                               purpose.


                               In summary, IMY makes the assessment that the publication of rulings is verified in
                               the target types in question are not covered by the exception in ch. 1. Section 7, second paragraph
                               the data protection act.


                               Verifiera is the personal data controller for the processing


                               As can be seen above, IMY makes the assessment that the data protection regulation is applicable to
                               processing in the Services.


                               The personal data controller according to the data protection regulation is the person who alone or
                               together with others determines the purposes and means for the processing of

                               personal data (Article 4.7).




                               51 See IMYRS 2022:2, p. 23 f.
                               52 ECJ judgment Google Spain and Google, C-131/12, EU:C:2014:317, p. 81, 85 and 95. Data Protection Agency Diary number: IMY-2022-1621 24(28)
                                Date: 2022-09-13






                                IMY states that it is Verifiera that provides the Services for financial consideration
                                compensation to paying users. Furthermore, Verify has stated that it is Verify
                                who decide on the purposes and means for the personal data processing of their service,

                                let it be that Verifiera points out that "in journalistic terms, it is the user who
                                decides on the purposes, in the same way that a newspaper reader himself decides
                                the target when this takes part in a published magazine, and not the newsroom which

                                published the paper.”

                                Against this background, IMY finds that Verifiera is the personal data controller for

                                the personal data processing consisting of the provision of the Services and
                                the data collection.


                                The processing is contrary to Article 9 of the Data Protection Regulation


                                Applicable regulations
                                As stated above, IMY makes the assessment that Verifiera processes sensitive data
                                personal data consisting of information about health in the Services. According to Article 9.1 i
                                data protection regulation, the processing of such data is generally prohibited.

                                In order for the processing to be permitted, it is required that one of the exceptions specified in
                                Article 9.2 of the Data Protection Regulation is applicable to the processing.


                                According to Article 9.2 a of the data protection regulation, the prohibition in Article 9.1 shall not be applied
                                the data subject has expressly consented to the processing.


                                According to Article 9.2 g, the prohibition in Article 9.1 does not apply if the processing is necessary for
                                consideration of an important public interest, on the basis of Union law or Member
                                the national law of the states, which must be proportionate to the intended purpose, be

                                consistent with the essential content of the right to data protection and contain
                                provisions on appropriate and specific measures to ensure the registered
                                fundamental rights and interests.


                                Consent
                                The collection of information that is the subject of IMY's review consists of a large number

                                legal rulings in psychiatry and LVM cases. The data collection is used by Verify
                                to provide the Services. One of these is called the background check service.
                                Verifiera has argued that express consent, according to Article 9.2 a of the data protection

                                regulation, exists for the part of the processing that relates to this service. IMY
                                notes, however, that Verifiera obtains consent only in connection with a
                                background check is ordered from Verify. Consent is thus only given after

                                Verify performed the treatments to collect and arrange for searchability the decisions therein
                                the sensitive personal data is processed. A consent that is obtained after the fact is
                                not valid. There is therefore no reason to state about the express consent which

                                Verifiera claims to collect otherwise meets the conditions of the data protection regulation.

                                Article 9.2 g and freedom of expression and information

                                Regarding the processing in general, Verifiera has claimed that the processing "is
                                necessary for purposes relating to Verified's legitimate interest in being able to operate its
                                constitutionally protected activity within the framework of its certificate of issue". According to Verify

                                in the present case, the interests of the data subjects do not outweigh the right to
                                freedom of speech. Finally, state Verify that the documents in the data collection exist
                                available through the majority of other sources as well as what type of ruling applies

                                should be uninteresting as courts have to apply confidentiality to the extent that information about
                                health exists. The Swedish Privacy Protection Agency Diary number: IMY-2022-1621 25(28)
                                 Date: 2022-09-13






                                 IMY initially states that legitimate interest (also called balancing of interests) is
                                 one of several legal bases according to Article 6.1 f of the Data Protection Regulation which is required for

                                 that the processing of personal data must be legal. However, this basis is not included in it
                                 enumeration of exceptions in Article 9.2 which can legitimize the treatment of such

                                 sensitive personal data referred to in Article 9.1 and which is now in question. Like that
                                 of course, Verify with the above stated that the exception in Article 9.2
                                 g constitutes legal support for the processing.


                                 IMY notes that the public's freedom of expression and information is an important general principle
                                 interest. This is also expressed in Article 85 of the Data Protection Regulation which

                                 imposes an obligation on Member States to incorporate in law the right to privacy i
                                 in accordance with the data protection regulation with freedom of expression and information. According to
                                 Article 85(2) of the Data Protection Regulation, Member States may make exceptions to

                                 the provisions of, among other things, Article 9 if it is necessary to combine the right to
                                 integrity with freedom of expression and information. In Swedish law, this has taken place through 1
                                 Cape. Section 7 of the Data Protection Act, which according to IMY's assessment in this decision is not applicable

                                 on the portion of Verifiera's data collection reviewed in this decision.

                                 The regulation in the data protection regulation can be interpreted as only Article 85 which,

                                 in accordance with the principle of lex specialis, must be used to regulate in national law
                                 the relationship between the right to protection of personal data and the right to expression and
                                 freedom of information. According to IMY, however, it cannot be ruled out that, in addition, it is possible to

                                 introduce national regulation of the kind referred to in Article 9.2 g of the data protection regulation
                                 to provide support for the processing of sensitive personal data that is necessary to

                                 cater for the public's freedom of expression and information. Such regulation would
                                 among other things need to contain provisions on appropriate and special measures to
                                 ensure the data subject's fundamental rights and interests. Someone like that

                                 however, regulation has not been introduced into Swedish law. There is thus no option for Verify
                                 to apply Article 9.2 g of the data protection regulation with reference to the public
                                 freedom of expression and information.


                                 Article 9.2 g and the principle of publicity
                                 Verifiera has also stated that the processing in the data collection is necessary for

                                 the common man's legitimate interest in that, within the framework of Verified constitutional protection,
                                 get access to public documents available in the Services. IMY therefore finds reasons
                                 to assess whether the rules on the publicity principle in ch. 2 TF can provide support for Verified

                                 treatment.


                                 The data protection regulation regulates the relationship between the right to protection for
                                 personal data and the principle of publicity in Article 86. It states that personal data i
                                 public documents kept by an authority, a public body or a private one

                                 body for carrying out a task of public interest may be disclosed by the authority
                                 or the body in accordance with the national law of the Member State to adjust
                                 combines the public's right to access public documents with the right to protection

                                 for personal data in accordance with the regulation. In ch. 1 Section 7 first paragraph
                                 the data protection act has also introduced regulations that make it clear that
                                 the data protection regulation shall not be applied to the extent that it would conflict with
                                                                                 53
                                 the rules on public documents in ch. 2 TF.

                                 The provisions on the public record in ch. 2. TF gives everyone the right to take part

                                 of public documents that are not covered by confidentiality. For it to be a matter of


                                 5 Prop. 2017/18:105, pp. 42–43. The Swedish Privacy Agency Diary number: IMY-2022-1621 26(28)
                               Date: 2022-09-13






                               a public document, the document must be kept with an authority or another body
                               which is covered by the principle of publicity (Chapter 2, Sections 4 and 5 TF). The rules in ch. 2 TF
                               thus does not give the public a right to take part in public documents released by

                               an organization which, like Verify, is not subject to the obligation to disclose
                               documents according to the principle of publicity.


                               The rules in ch. 2 TF also does not give a right to the person who receives public documents
                               to spread them further or further process them in another way. the purpose with
                               the publicity principle, as expressed in ch. 2. § 1 TF, is admittedly that

                               promote a free exchange of ideas, a free and comprehensive enlightenment and a free artistic
                               creative. However, the further processing of disclosed public documents is covered
                               not of the provisions in ch. 2. TF without other rules, especially other parts of

                               the media fundamentals. The basic media laws give, among other things, the right to publish general information
                               documents or information from such documents and to disseminate such publications
                               (see, among other things, ch. 1 § 1 second paragraph and ch. 6 TF and ch. 3 YGL).


                               It should be emphasized that the Swedish data protection regulation creates a large scope
                               to further process personal data in public documents to satisfy it

                               fundamental importance that freedom of press and expression has for the Swedish language
                               state of affairs. This takes place through the exception for the basic media laws in ch. 1. Section 7 first
                               paragraph of the Data Protection Act and the exception for, among other things, journalistic purposes in 1

                               Cape. Section 7, second paragraph of the Data Protection Act. As IMY notes in this decision, covered
                               however, not the personal data processing of these exceptions in question.


                               Against this background, IMY states that ch. 2 TF does not regulate Verified
                               publication of sensitive personal data and therefore cannot constitute a basis according to
                               9.2 g of the data protection regulation for this processing. In addition, it can be stated that
                               the rules in ch. 2 Nor does the TF contain any such appropriate and special measures

                               to protect the rights of the data subjects in the further processing of released public data
                               actions.


                               Conclusions
                               Since nothing has come to light to suggest that any other exception in Article 9.2 is
                               applicable, IMY finds that Verify during the period 6 April 2022 – 28 June 2022 has

                               processed sensitive personal data (data on health) in violation of Article 9 i
                               the data protection regulation in its services at www.verifiera.se.


                               Choice of intervention

                               From article 58.2 i and article 83.2 of the data protection regulation it appears that IMY has

                               power to impose administrative penalty charges in accordance with Article 83.
                               Depending on the circumstances of the individual case, the administrative sanction
                               fees are imposed in addition to or instead of the other measures referred to in Article 58(2), which

                               for example injunctions and prohibitions. Furthermore, Article 83.2 states which factors
                               which shall be taken into account when deciding whether administrative penalty charges shall be imposed and at
                               determining the size of the fee. If it is a question of a minor violation, IMY gets

                               as set out in recital 148 instead of imposing a penalty charge issue one
                               reprimand according to article 58.2 b. Consideration must be given to aggravating and mitigating factors
                               circumstances of the case, such as the nature, severity and duration of the infringement

                               as well as previous violations of relevance.

                               IMY has established that during the relevant period, Verifiera has carried out a comprehensive

                               collection of sensitive personal data about a large number of people in the Services through the Swedish Privacy Protection Agency Diary number: IMY-2022-1621 27(28)
                               Date: 2022-09-13






                               to publish, among other things, 210,000 decisions from the administrative courts, of which approx
                               193,000 are psychiatric cases and approx. 18,000 are LVM cases. The goals contain a lot
                               privacy-sensitive information regarding people who are or have been in a very

                               vulnerable situation. The result is a collection of data on everyone who has been since 2008
                               subject to compulsory care due to mental illness or substance abuse. Of the investigation
                               it further appears that the purpose of the data collection is, among other things, to provide

                               background checks on recruitment. Processing of the current data on health i
                               such contexts can lead to noticeable consequences for the registered, to
                               example in the form of reduced opportunities to be considered for employment and

                               exclusion. According to IMY, the violation of Article 9 found in this decision
                               thus of such scope and degree of seriousness that it would normally cause
                               a known penalty fee.


                               In this supervisory case, however, there are special circumstances that militate against a sanction
                               charge. It concerns the processing of personal data on a website that has a

                               certificate of publication and as a starting point has constitutional protection according to the basic media laws.
                               The limitation of the constitutional protection of data collections that make public sensitive
                               personal data introduced in 2019 through ch. 1 Section 20 YGL has not previously been applied

                               by IMY. The provision has also not, as far as can be seen, been applied by any court
                               or any other authority. There is thus a lack of practice regarding how constitutional
                               the provision - which in some respects requires relatively difficult considerations

                               - shall be applied. In addition, until recently there has been indicative information
                               on IMY's website which has been perceived as meaning that IMY has no opportunity to
                               intervene against web pages with proof of publication. Overall, this means according to IMY's

                               assessment that it would not be proportionate to impose Verify a penalty fee for
                               the established violations in the current case. Verify AB must therefore,
                               with the support of Article 58.2 b of the data protection regulation, instead a reprimand is given for it
                               found the violation.


                               The publication of the sensitive personal data means a serious
                               breach of privacy for the persons concerned. Verified proof of issue does not allow

                               any exception to the data protection regulation as long as the company continues to
                               publish sensitive personal data in a data collection covered by ch. 1. 20
                               § YGL. It is important to ensure that this breach of privacy ends. IMY

                               therefore assesses that there are grounds to order Verify according to Article 58.2 d i
                               data protection regulation to take measures so that in the services that Verifiera offers
                               on www.verifiera.se is no longer possible for users of the services to search

                               on people with one of the search parameters personal name, social security number or address
                               take part in decisions in cases under the Act on Compulsory Psychiatric Care or the Act on Care
                               of drug addicts in certain cases concerning the wanted person. The actions must have

                               taken no later than eight weeks after this decision became final.

                               ______________


                               This decision has been taken by the general manager Lena Lindgren Schelin after a presentation
                               by the lawyer Martin Wetzler. In the final proceedings, the Chief Justice David also has

                               Törngren, unit manager Catharina Fernquist and department director Hans Kärnlöf
                               participated. The lawyer Olle Pettersson has participated in the proceedings.


                               Lena Lindgren Schelin, 2022-09-13 (This is an electronic signature) Privacy Agency Diary number: IMY-2022-1621 28(28)
                                Date: 2022-09-13






                                How to appeal


                                If you want to appeal the decision, you must write to the Swedish Privacy Protection Agency. Enter in
                                the letter which decision you are appealing and the change you are requesting. The appeal shall

                                have been received by the Privacy Protection Authority no later than three weeks from the day you received it
                                part of the decision. If the appeal has been received in time, send
                                The Privacy Protection Authority forwards it to the Administrative Court in Stockholm
                                examination.


                                You can e-mail the appeal to the Privacy Protection Authority if it does not contain
                                any privacy-sensitive personal data or information that may be covered by

                                secrecy. The authority's contact details appear on the first page of the decision.