Data Protection in Sweden

From GDPRhub
Revision as of 14:05, 1 October 2021 by FD (talk | contribs)
Data Protection in Sweden
At.png
Data Protection Authority: IMY(Sweden)
National Implementation Law (Original): Lag (2018:218)
English Translation of National Implementation Law: / Act containing supplementary provisions to the EU General Data Protection Regulation
Official Language(s): Sweden
National Legislation Database(s): Link
National Decision Database(s): RIS.bka.gv.at


Legislation

History

Sweden introduced one of the first data protection laws in the world in 1973 with the introduction of the Data Act (Datalagen). The supervisory authority Datainspektionen was founded the same year. On 1 January 2021, the name was changed to Integritetsskyddsmyndigheten ("IMY").

National constitutional protections

The Swedish Basic Laws are four fundamental laws, regulating the political system and acting in the same role as constitutions in most other countries. The four Basic Laws are The Instrument of Government; The Freedom of the Press Act; The Fundamental Law on Freedom of Expression, and the Act of Succession.

The Basic Law protects the right to privacy in Chapter 2 § 6 in the Instrument of Government.

The right to free speech is secured in Chapter 2 § 1 in the Instrument of Government and Chapter 2 § 1 of The Fundamental Law on Freedom of Expression, and Chapter 1 § 1 in the Fundamental Law on Freedom of Expression.

Freedom of information follows from Chapter 2 § 1 in the Instrument of Government.

The right of public access follows from Chapter 2 § 1 The Fundamental Law on Freedom of Expression.

It is unsure if the GDPR is compatible to the constitutional protection. The stance of the Swedish government is that Article 85 and 86 allows the constitutional protections found in the Basic Laws.

National GDPR implementation law

In Sweden the GDPR is implemented by Lagen (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning. The unofficial English name for this statute is the Act containing supplementary provisions to the EU General Data Protection Regulation. This law is commonly refered to as "The Data Protection Act" (Dataskyddslagen).[1]

Age of consent

The age of consent in Sweden is 13 years following § 4 of the Data Protection Act.

Freedom of Speech

Under Chapter 3 § 3 number 3 there is a general provision opening up for processing personal data that represent an important public interest based on a balancing of interest with the fundamental rights and interests of the data subject. It follows from § 4 that the government may issue further regulations on processing of special categories of personal data that is necessary in view of an important public interest.

Employment context

Chapter 3 § 2 further that processing special categories of personal data in the context of employment and social security may be done in accordance with Article 9 for purposes of excercising rights, or fulfilling obligations under labour law.

Research

Under Chapter 3 § 3 number 3 there is a general provision opening up for processing personal data that represent an important public interest based on a balancing of interest with the fundamental rights and interests of the data subject. It follows from § 4 that the government may issue further regulations on processing of special categories of personal data that is necessary in view of an important public interest.

Archival and statistical purposes

Special categories of personal data may be processed if it is necessary for the controller to comply with regulations on archives pursuant to Chapter 3 § 6.

For processing of special categories of personal data for statistical purposes, the benefit must be necessary for statistical purposes and the public interests in the processing must clearly weigh in the favor of such processing without an undue intrusion into the privacy of the individual, pursuant to Chapter 3 § 7.

Health sector

According to Chapter 3 § 5 of the Data Protection Act, special categories of personal data may be used if the processing is necessary for one of six applicable purposes:

(1) preventive health care and occupational medicine; (2) the assessment of an employee's work capacity; (3) medical diagnoses; (4) provision of health care or treatment; (5) social care, or (6) management of health care services, social care and their systems

Other relevant national provisions and laws

IMY can impose sanctions on government breaches pursuant to Chapter 6 § 1(1) in accordance with Article 83

National ePrivacy Law

The ePrivacy Directive is implemented through several laws, the most important being the Electronic Communications Act (Lag 2003:389 in SE) which regulates the placement of cookies in § 18. The supervisory authority is Post- och telestyrelsen, PTS.

Data Protection Authority

The Swedish Data Protection Authority (Integritetsskyddsmyndigheten, "IMY") is the national data protection authority for Sweden.

→ Details see IMY_(Sweden)

Judicial protection

The Courts in Sweden are divided into two distinct tracks: The General Courts and The Administrative Courts. Both tracks have three tiers. The General Courts mainly deal with criminal cases, in addition to some select civil law disputes.

Complaints regarding IMY's administration of a case can be lodged as a complaint with the Parliamentary Ombudsmen.

General Courts

While most of the cases related to data protection will be handled by the Administrative Courts if brought into the court system, requests for damages will be handled by the General Courts. Claims of damages can also be handled by IMY.

Administrative Courts

Appeals from IMY can be brought before the Administrative Courts.

  1. https://www.imy.se/verksamhet/dataskydd/sa-hanger-lagarna-ihop/