IMY (Sweden) - IMY-2022-1621
From GDPRhub
| IMY - IMY-2022-1621 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 9 GDPR Article 85(1) GDPR Article 85(2) GDPR Article 6(1)(f) GDPR Article 4(7) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 13.09.2022 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | IMY-2022-1621 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Swedish |
| Original Source: | IMY (in SV) |
| Initial Contributor: | n/a |
The Swedish DPA reprimanded a controller for violating Article 9 GDPR by publishing sensitive data in its background check database, such as information about compulsory care due to mental illness and addiction.
English Summary
Facts
The controller was a company which provided background check services in Sweden. For this purpose, it made publicly available a database, which contained legal and financial information of both legal and natural persons, collected among others from court decisions from 2008 onwards. The database included specific search fields for "name", "personal identity number", "city/address" and "free text search". On top of that, an additional "background check extension service" enabled customers, through a consent request from the person to whom the background check related, to obtain a report on any current or past legal disputes regarding compulsory care due to mental illness or addiction.
The Swedish DPA received multiple complaints from data subjects about the service of the controller, especially the processing of sensitive data relating to health. The DPA initiated its own investigation in order to find out whether the controller was subject to and respected the applicable data protection laws. The controller alleged that the GDPR did not apply to its service because it was constitutionally protected under the Swedish Freedom of Expression Act. To illustrate the issue at hand, Swedish law contained exceptions on the applicability of the GDPR in favour of freedom of expression. Member States have the possibility to introduce such exceptions provided in Article 85 GDPR.
The specific provision, Chapter 1.7 Paragraph 1 of the Swedish Data Protection Act, states that the GDPR and the implementing national law shall not apply to the extent that this would conflict, among others, with the Freedom of Expression Act. Under this law, the GDPR generally applies to online publications. As a way of exception, publications using databases developed from publicly available information, are not covered by the GDPR. However, the GDPR is still applicable when sensitive data was published in such a database (Chapter 1 Section 20 of the Freedom of Expression Act).
In the present case, the DPA had to determine whether the controller's database fell within the scope of the above-mentioned provisions.
Holding
The Swedish DPA determined whether the exception in Chapter 1 Section 20 Freedom of Expression Act, which made the GDPR applicable to processing of sensitive data, was relevant. Three separate conditions had to be met for this.
First, there had to be a disclosure of sensitive personal data. The DPA recalled that the term "health data" should be interpreted broadly (Article 4(15) GDPR), reflecting both physical and mental state (Lindqvist, Case C-101/01). The DPA held that the respective court cases in the database usually contained information about the health of persons, for example when the data subject had been subject to compulsory care. Therefore, there was a disclosure of sensitive personal data.
Second, the data had to be part of a data collection organised in such a way that it could be searched or compiled. The only requirements were that the data must concern more than one person and the data has to be sorted according to some kind of system. The DPA concluded that, in this case, large amounts of sensitive data were involved. For the data to be searchable, it was sufficient that that the data collection allowed for a free text search, as in the controllers database.
Third, there had to be specific risks of undue intrusion into the privacy of individuals, given the nature of the activities and the forms in which the data collection was made available. The DPA held that, in this case, the controller extensively collected judicial decisions that contained highly privacy-sensitive information. The collection was carried out without assessing the relevance of the individual court decisions. Furthermore, the controller did not take any measures to limit the possibility of searching for personal information linking to a data subject, such as name or social security number. The DPA concluded that the publication of this data posed particular risks of undue interference with the privacy of individuals. In conclusion, the GDPR was applicable to the case at hand.
Further, the DPA assessed whether the rules on journalistic publication in Chapter 1.7, Paragraph 2 of the Data Protection Act applied to the processing. The DPA held that the fact that a website contains certain publications with a journalistic purpose did not mean that all publications on that website should be considered to have such a purpose. The link between the personal data and an editorial element has to be clear and relevant in order for this journalistic exception to be invoked. The DPA determined that the purposes used by the controller, to provide background checks for recruitment amongst other things, were not journalistic purposes. Despite the fact that the controller had argued its activities were necessary for the legitimate interest of the general public in obtaining access to public documents, the DPA held that this did not mean the controller itself had a journalistic purpose for its processing. Therefore, the journalistic exception was not applicable in this case.
Finally, the DPA also assesed the lawfulness of the processing, by looking at whether the processing of sensitive data violated Article 9 GDPR. In this regard, the DPA noted that the controller only asked for consent from the data subject after a background check had already been ordered. Consent was therefore given after the controller had carried out the processing operations to collect and arrange the court decisions. The DPA held that consent obtained after the processing was not valid. Hence, there was no need to consider whether the requirements of explicit consent under Article 9(2)(a) GDPR were met. The DPA noted that the statements of the controller referred to the exception in Article 9(2)(g) GDPR. National rules could be introduced, such as described in Article 9(2)(g) GDPR, to support the processing of sensitive personal data, necessary to ensure the public's freedom of expression and information. However, these national rules should be proportionate and contain appropriate measures to safeguard the fundamental rights and interests of the data subject. Since, the Swedish law did not contain such provisions, the controller was not able to rely on Article 9(2)(g) GDPR for its processing. The DPA concluded that the controller processed health data in violation of Article 9 GDPR.
The DPA reprimanded the controller but did not impose a fine, due to mitigating factors, such as the fact that the controller was a licensed operator and because the matter at stake involved relatively complex assessments.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(28)
Verify AB
Banérgatan 3
114 56
Stockholm
Diary number:
IMY-2022-1621
Date: Decision after supervision according to
2022-09-13
data protection regulation - Verify
AB
Content
The Privacy Protection Authority's decision................................................... ............................3
Statement of the supervisory matter ............................................... ........................................3
Information about the Services on the Website................................................... ...........4
What Verifiera AB has stated................................... ...................................6
Opinion on 27 May 2022............................................. ............................6
Opinion on 13 June 2022............................................. ............................7
Limitation of the examination framework in the review............................................... .............10
Justification of the decision................................................... ................................................... ..11
Legal background................................................... ..............................................11
EU law's regulation of the relationship between the right to protection for
personal data and the right to freedom of expression and information...............11
The Swedish Data Protection Act's exception for opinion and
freedom of information................................................... ................................12
The basic regulation on voluntary issuance certificates.................................13
The interpretation of ch. 1 Section 20 YGL and IMY's authority.......................................15
The exception in ch. 1 § 20 YGL is applicable ............................................. ..........16
Personal information about health is made public................................................. .....16
The data collection has been arranged so that it is possible to search for or
compile sensitive personal data................................................. ...17
Mailing address:
Box 8114 There are particular risks for improper intrusions into the personal
104 20 Stockholm integrity ............................................... ................................................18
Website: Summative Assessment................................................... ....................21
www.imy.se
E-mail: Processing does not take place for journalistic purposes............................................. .....21
imy@imy.se
Applicable regulations, etc. ................................................ ............21
Phone: Assessment by the Privacy Protection Authority............................................22
08-657 61 00 The Swedish Privacy Agency Diary number: IMY-2022-1621 2(28)
Date: 2022-09-13
Verifiera is the personal data controller for the processing ........................................23
The processing contravenes Article 9 of the Data Protection Ordinance............................24
Applicable regulations ................................................... ......................24
Consent ................................................... ..............................................24
Article 9.2 g and the freedom of expression and information................................24
Article 9.2 g and the principle of publicity ............................................. ......25
Conclusions ................................................. ..............................................26
Choice of intervention................................................... ................................................26
How to appeal ............................................... ................................................... .....28 The Swedish Privacy Agency Diary number: IMY-2022-1621 3(28)
Date: 2022-09-13
The Privacy Protection Authority's decision
The Swedish Privacy Protection Agency states that Verifiera AB, during the period on April 6
2022 – 28 June 2022, has processed sensitive personal data (data about health) in
violation of Article 9 of the data protection regulation in its services at www.verifiera.se.
The Swedish Privacy Protection Authority gives Verifiera AB a reprimand according to article 58.2 b i
the data protection regulation for the established violation.
The Privacy Protection Authority orders Verifiera AB according to article 58.2 d i
data protection regulation to take measures so that in the services that Verifiera offers
on www.verifiera.se is no longer possible for users of the services to search
on people with one of the search parameters personal name, social security number or address
take part in decisions in cases according to the act (1991:1128) on compulsory psychiatric care or
the law (1988:870) on treatment of drug addicts in certain cases that applies to the wanted person
the person. The measures must have been taken no later than eight weeks after this decision won
cook power.
Account of the supervisory matter
The Swedish Privacy Protection Authority (IMY) has received complaints regarding Verifiera AB's
(Verify or the company) services. IMY has subsequently on its own initiative initiated supervision of
Verify against the background of the description of its services (hereinafter "the Services") which
the company has provided on its website www.verifiera.se (hereinafter the "Website"). 2
The purpose of the inspection was to investigate whether Verify through the provision of
The services:
• publishes sensitive personal data in such a way as referred to in ch. 1. 20
§ YGL,
• processes personal data in a manner that is compatible with the principles of
legality, correctness, transparency, purpose limitation and data minimization
(Article 5 of the Data Protection Regulation),
• has support in some legal basis for the processing of personal data (Article 6 i
the data protection regulation), and
• processes information about health, i.e. sensitive personal data in that sense
as referred to in article 9.1 of the data protection regulation, and in that case if any of
the exceptions in Article 9.2 of the Data Protection Regulation from the prohibition of
processing of such data is applicable.
The supervision has taken place through review of the information that Verifiera entered
the services on the Website and correspondence.
1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
regarding the processing of personal data and on the free flow of such data and on the cancellation of
directive 95/46/EC (General Data Protection Regulation).
2For a description of the services, see below under the headings "Information about the Services on the Website" and "What
Verifiera AB has stated". Privacy Protection Agency Diary number: IMY-2022-1621 4(28)
Date: 2022-09-13
Information about the Services on the Website
On April 6, 2022, IMY reviewed and documented the information as Verify
provided about the Services on the Website. The documentation has been communicated with
Verify and its accuracy has not been questioned by the company. It shows the following.
The start page shows example images of how a search in the legal database might look. At
personal search there are special search fields for "Name", "Social security number", "City/Address" and
"Free text search".
On "www.verifiera.se/tjanster" the following appears:
"How does Verifiera's service take GDPR into account? Verify and our services follow
of course the laws, rules and regulations that apply. Verify has proof of issue
and is thereby constitutionally protected according to the Freedom of Expression Act (YGL), which
means that the GDPR (Data Protection Regulation) is not applicable to Verify or
Verified services. To Verify has proof of publication and is constitutionally protected
further means that it is not the Privacy Protection Authority (IMY) that is
supervisory authority with regard to Verified certificate of issue, but this accrues
The Authority for Press, Radio and Television. As long as our customers are in Verified
web interface, our customers' use of our services is covered by the same
constitutional protection. As a user, however, you must comply with GDRP just in case
chooses to download and process personal data in the sense of the GDPR. For more
specific questions, do not hesitate to contact our Customer Service.”
“How do I know that the information is correct? Verify retrieves all documents instantly
from Swedish courts and authorities. As far as the information that you can
find in Verified's legal database extremely reliable. To be verified legal database
updated in real time ensures you always get the latest, updated
the information. Some changes to the information that appears in the public records
the actions do not take place.”
“How extensive is the background information? A background check report can
at the customer's request include either only legal information or both
legal as well as financial information. The legal information extends back i
the time until the year 2008 and includes all legal public documents for a certain legal
or natural person. The financial information includes historical debt balances
as these are registered with the Kronofogden, the most recent taxation years from
The Tax Agency and any payment orders.
Furthermore, background checks cover personnel such as marital status, management
position and, if desired, driver's license permit."
On "www.verifiera.se/bakgrundskontroll" the following appears:
"If you do a background check on a private person who contains
financial information, the person must give their consent to a
background check must be possible. A copy of the information is sent to the person requested
in accordance with the Credit Information Act.”
3 These descriptions are documented in service notes (file appendix 2 and 2.1-2.7 in the case). Privacy Agency Diary number: IMY-2022-1621 5(28)
Date: 2022-09-13
"When a user wishes to do a background check on an individual, the user gets
possibility to adjust how comprehensive it should be. The user can exclude
financial information in cases where it would not be of interest.”
"Depending on what need you have to do background checks, you can choose
between buying background check reports piecemeal or a larger quantity
reports within the framework of a subscription to Verifiera's legal database."
"BACKGROUND CHECK - PIECE BY PIECE. If you only need one
background check occasionally you can order a background check
piecemeal. They cost SEK 1,295/piece excluding VAT."
“Is everything done online? Yes, Verifiera's legal database is a digitization of Swedish
public documents of courts and authorities. Our customers' searches and
filtering is done in Verifiera's interface and the result is generated online in real time.”
“Is it complicated to do a background check? No, you need to know
social security number, organization number or personal or company name in order to
do a background check. Searches based on person and
organization number gives the fastest and safest results."
The following appears on "www.verifiera.se/abonnemang":
"What does Verifiera's subscription mean? The subscription means that you get access to
our easy-to-use online tool, where you get access to our entire legal database and
can quickly find and share the information you are looking for.
Verified business service addresses companies, authorities and others
organizations with a need to carry out background checks on private individuals
and companies. The service includes an easy-to-use web interface where you can quickly
find and share the information you are looking for. All judgments, decisions, and
diary pages are searchable in full text and can be read in their original form as PDF. We
also provides API solutions for those who so desire.”
"As logged into the legal database, the user can search with a number of different parameters
as; social security number, organization number, name, address, legal entity and
free text etc.”
The following appears on "www.verifiera.se/vart-werktyk":
”Verified legal database regularly collects public documents from
Sweden's courts and authorities. The legal database stretches back in time to
2008. In addition to judgments, legal documents such as brought charges,
issued subpoenas, diary sheets, non-prosecutions and penalty orders
which means that our customers can easily follow the progress of a legal case in the legal department
the process. Unlike the police criminal record, Verified is not screened
legal database, which ensures that you have the opportunity to decide for yourself whether a
legal document is relevant to your business decision or not.”
On all pages, reference is made to the possibility to try Verify free of charge for 14 days,
both by direct link to the form to try Verify in the header and with others
links on the pages about starting the 14-day trial period. The Swedish Privacy Agency Diary number: IMY-2022-1621 6(28)
Date: 2022-09-13
During previous checks of the Website, IMY has observed a web page where it is described
which documents the legal database contains. The corresponding page no longer seems to be accessible
from Verified home page but the linking URL is still working per
on April 6, 2022. In the enumeration of target types on from the administrative rights is indicated
including the following:
• Social security goals, i.e. cases regarding disputes with the Swedish Social Insurance Agency i
matters relating to e.g. worker's compensation, parental allowance or various supports
to the disabled.
• LVU cases (cases according to the law with special provisions on the care of young people),
i.e. goals such as is about whether minors must be looked after under duress
outside their own home.
• LVM cases (cases according to the Act on the care of drug addicts in certain cases), i.e. goals that
is about forced care for drug addicts.
• Psychiatry goals, i.e. cases dealing with matters relating to compulsory psychiatric care
and forensic psychiatric care.
What Verifiera AB has stated
Opinion on 27 May 2022
Verifiera AB has essentially stated the following in its opinion on 27 May 2022.
Verifiera is a Swedish limited company with a certificate of issuance for its operations.
On November 2, 2016, the Authority for Radio and Television issued a release certificate for
Verifiera.se. The business is therefore constitutionally protected according to freedom of expression
the constitution. Something that is also whitewashed by IMY on the authority's website:
"The Data Protection Regulation (GDPR) does not affect businesses with certificates of issue."
It follows from the constitution that the GDPR shall not be applied to activities covered by
the freedom of expression basis. Even outside the scope of the Freedom of Expression Act, it is exempted
GDPR through the general exceptions for journalistic purposes as well as
motivational statements about the importance of the right to freedom of expression in a democratic society.
IMY's supervision involves a violation of the authority's authority and competence. To
IMY lacks authority and authority is also evident from the authority's response
website on the question of whether to submit complaints to IMY on sites that have
proof of issue: “No. Unfortunately, we have no way of getting those types of sites to be removed
information if you send us a complaint. To provide feedback regarding
the legislation regarding issuance certificates, we recommend that you contact the legislator,
in this case the Constitution Committee. They are responsible for preparing questions of
constitutional and administrative law significance.”
On the Website, Verifiera provides, within the scope of its certificate of issuance, among
otherwise scanned judgments obtained from Sweden's Courts. The actions are
public and accessible to the common man, credit companies and other equivalents
services, which follows from the Swedish principle of openness.
Verifiera is a news agency regarding, among other things, research and background checks.
Verifiera uses a subscription form which means that mainly different
types of organizations and professional actors with a need for the information on
The website in its professional practice, for example companies and authorities, uses
of the Website. Only paying users can access the material on
The website, after which the users can, through active measures in real time, receive information from the Integrity Protection Agency Diary number: IMY-2022-1621 7(28)
Date: 2022-09-13
and decisions which are scanned and available on the Website. Before a customer signs
an agreement with Verifiera, the customer can try the service for fourteen days during
condition that the customer undergoes a demonstration of the service. During the trial period
are offered access to a standard subscription.
Through its activities, Verifiera contributes to free and comprehensive information on an appropriate basis
way. Verified's business is also not unique. On the contrary, the equivalent is provided
service or more extensive services since a long time from well-established services (eg
www.infotorg.se and www.juno.se, formerly Karnov). Like these services, it is possible to
The website find judgments and decisions, including administrative law judgments through
free text search or through more specific search fields (called filters in some databases).
Because the documents on the Website consist of public documents that are
available for anyone to take part in many places other than the Website, not least
through other services such as or the courts or authorities themselves, thereby
there is no particular risk with the publication that takes place on the Website.
The background extension service enables customers, through a consent request from
the person to whom the background check relates, obtain a background check report
regarding any ongoing or previous legal disputes. The legal data is retrieved from
courts and authorities and consists of public documents. A prerequisite for one
such background report is that the person in question agrees to this, verification takes place
including bank ID. The service has no connection to the data protection regulation.
As for Verifiera's data and IT security, it is very high. The company has its own
servers located in data centers within the EU. Verify using software that is not
accessible via the internet which means that all services are isolated from each other as well
internet. Only Verified CTO and Network Administrator have access to the software.
In case an IP address is available from the internet, it is protected with one
firewall bound to specific IP addresses. All Verifiera's systems are built with
protection against various types of IT attacks.
With regard to decisions on health care, information on the state of health of individuals applies
strong confidentiality, which means that such information may only be disclosed if it is clear that
the individual or someone close to him does not suffer but. The same applies in other
medical activities, for example forensic and forensic psychiatric examination.
Judgments and decisions relating to such conditions are subject to confidentiality and the courts
therefore does not disclose information about health or the like. Then the judgments found on
The website corresponds to those at the court, the same applies to
the documents available on the Website.
Opinion on 13 June 2022
Verifiera AB has essentially stated the following in its opinion on 13 June 2022.
Introduction and general
Verify maintains the positions expressed in the opinion of May 27, 2022.
It is Verifiera's opinion that IMY lacks any right to initiate the present review
as well as to exercise supervision over Verify. The relationship to Verify in a more detailed way
answering questions regarding compliance with the data protection regulation does not mean that
Verify that the data protection regulation is applicable or that IMY at all
has the right to conduct the review that is carried out. Concepts such as "personal data
treatment" and more are used even if Verifiera's view is that the company's Privacy Protection Agency Diary number: IMY-2022-1621 8(28)
Date: 2022-09-13
handling of public documents does not constitute a processing of "personal data" which
covered by the data protection regulation.
The purposes of the personal data processing carried out in the services
Verify provides general documents to the users of the Services for the purpose of
carry out their constitutionally protected activities and in a wider sense promote a
all-round information and a free opinion formation.
Who decides on the purposes and means of the processing in the respective service
Verify decides on the purposes and means of the "personal data processing" of
The services. Verifiera would like to point out, however, that from a journalistic point of view it is
the user who decides on the purposes, in the same way as a newspaper reader himself
determines the purpose when this takes part in a published journal, and not
the newsroom that published the newspaper.
If consent is collected from affected persons before processing in any of the services
Consent in the sense referred to in article 6.1 a of the data protection regulation, and
express consent in the sense referred to in 9.2 a, is collected in connection with
background checks in the Background Supplement Service from the person to whom the check applies.
The service enables customers, through a consent request from the person who
the background check refers to obtaining a background check report regarding any
ongoing or past legal disputes. The legal data is taken from courts and
authorities and consists of public documents. A prerequisite for such
background report is that the person in question agrees to this and verification takes place among
other with bank ID. Consent is not otherwise collected.
Legal basis for the processing and circumstances showing that it is valid
The processing in the Services is necessary to protect the interests of
fundamental importance for the data subject or for another natural person, i.e.
the public's right to freedom of expression and access to public documents, etc.
The processing in the Services is necessary for purposes related to Verified eligible
interest in being able to run their constitutionally protected activities within the framework of their
certificate of issue.
The processing in the Services is necessary for purposes that concern the common man
legitimate interest in, within the framework of Verifiera's constitutional protection, being informed of
public documents available in the Services.
In the present case, the interests of the "registered" do not outweigh the right to freedom of expression.
hot. The documents found in the Services are available through several others
sources. The type of court decision in question should be uninteresting then
courts have to apply confidentiality to the extent that information about health is present.
If information about health in the sense referred to in Article 9.1 is processed
Verifiera has understood it to mean that IMY's review refers to information in
court decisions from the general administrative courts.
Administrative courts rule over a wide range of legal areas, the majority of which are Torde
lacking any relevance for IMY such as cases of tax, PBL, migration, legality review,
driver's license interventions, different types of permits, foundations, land and environment, animal welfare,
public procurement etc. The Swedish Privacy Agency Diary number: IMY-2022-1621 9(28)
Date: 2022-09-13
IMY has not specified in more detail exactly which target types they think it can contain
"sensitive personal data", however some exemplification has been done. Furthermore, IMY has not
asserted the extent to which they believe such targets contain “sensitive
personal data" but seem to draw all exemplary target types under the same roof,
an order that Verify questions.
It is possible that some target types may, to an unknown extent, contain data
regarding people's health. However, as stated above, the courts have to follow one
strict confidentiality regarding health and similar information. Is a judgment from one
administrative court public (and not protected by secrecy), are also data, in it
to the extent such are apparent, public. Courts are generally reticent to state
data that can in any way be described as "sensitive". The courts limit
the information in judgments to the level necessary to explain the outcome i
the target. To the extent that a court decision nevertheless contains information that can
is designated as "sensitive", the processing is necessary, among other things, with regard to a
important public interest on the basis of Swedish law. The treatment done by
Verify is commensurate with the purpose pursued and is also consistent with the how
rules on data protection must be processed within the constitutionally protected area.
What information is provided to the persons concerned
Verifiera provides information about the content on Verifiera.se to its users. One
registered has the opportunity to become a user on Verifiera.se and can thus take part in
the public documents available there.
If users of the Background Check service receive information that they are wanted
the person appears as the appellant in cases of compulsory psychiatric care
Users of the Services get access to the information available on the Website and that
including any judgments that may affect them. Information about judgments
provided on the Website is clearly stated.
Regarding the background control function, refer to what was stated above.
Any changes made to the Services compared to the description which
appeared on the website on April 4, 2022
No changes have been made. To the extent that a law is issued on prohibitions regarding
personal data relating to health, Verifiera will review its operations on
expedient manner.
Addendum regarding ch. 1 Section 20 YGL
From the wording of ch. 1. Section 20 YGL states that the YGL does not prevent it from being announced by law
regulations on prohibition of publication of personal data. In the preparatory work for ch. 1.
Section 20 YGL does not state that the data protection regulation would be applicable to
the provision. That would have been the case if it was intended that it, contrary to the provision
wording, would accommodate other laws on prohibition. By comment to YGL on Juno
it appears that the delegation provision has not been followed up by any legislation.
It is not possible to interpret a constitution for its purpose.
It is not possible to see what consequences a possible negative decision may have and the legal situation afterwards
such a decision will be highly unclear. A legally secure course of action would have been to
await a possible law of prohibition before starting a review. Then had Verify
had knowledge of the legal situation and the content of any prohibition. Verify had then
able to act and adapt accordingly. Current review lacks all forms of the Privacy Protection Agency Diary number: IMY-2022-1621 10(28)
Date: 2022-09-13
predictability and legal certainty. Verified's view is that the review as such
and any negative decision containing corrective measures may constitute
abuse of authority.
The Credit Information Act – a comparative outlook
In the constitutions, there are provisions regarding credit information activities (which
includes operations with certificates of issue) that do not prevent it from being notified
regulations on the prohibition of such activities in certain specific situations.
Such regulations have, with the support of delegation provisions in the constitution, been introduced in
the Credit Information Act, whereby special references are expressly made to
the data protection regulation and the data protection act. It also expressly states that IMY
is the supervisory authority.
In these respects, IMY thus derives its authority from law and has through
express provisions in law introduced with the support of delegation provision right
to apply the data protection regulation in certain expressly stated respects.
All this is missing now. In the present case, the delegation provision in ch. 1. Section 20 YGL
has not been utilized and IMY lacks both the authorization and the authority to review Verified
constitutionally protected activities.
Especially about other databases
As stated above, Verifiera's business is not unique. Corresponding service or
more comprehensive services are provided by long-established services.
As a result of IMY's review, Verifiera has carried out searches for such
well-established services, for example juno.se. On juno.se, Verifiera has received hits on
wanted social security numbers, names and addresses. These search results show Verified
operations follow the industry standard for operations with certificates of issue and that
If verified, the activity is not improper, on the contrary, the activity is essential in everything
the same as with the market-leading companies in the industry.
A decision that the data protection regulation is applicable would have unforeseeable consequences
consequences for the entire industry. In light of this and what is stated in
paragraph above, it is very strange that IMY chooses to turn to Verify instead of
the well-established market-leading companies in the industry as is customary.
Limitation of the trial frame i
the review
Against the background of the nature of the matter - including the answers that Verifiera has
provided – IMY limits its examination of the Services during the relevant period to
• about 1 ch. § 20 YGL is applicable regarding the collection of data in the Services,
• on the exception for journalistic purposes ch. 1 Section 7, second paragraph of the Act
(2018:218) with supplementary provisions to the EU's data protection regulation
is applicable for the processing in the Services and
• if the company processes personal data about health in the sense referred to in
Article 9 of the Data Protection Regulation by including rulings in cases under
the law on compulsory psychiatric treatment and according to the law on treatment of drug addicts in the Privacy Protection Agency Diary number: IMY-2022-1621 11(28)
Date: 2022-09-13
certain cases in the data collection and, if so, whether the processing is compatible
with Article 9.
The review therefore does not cover whether Verified is processing personal data in the Services
is otherwise compatible with the data protection regulation. The trial also does not cover one
assessment about Verify, by disclosing in the Services financial information about
private persons, conducts credit reporting activities and if this is the case
compatible with the provisions of the Credit Information Act (1973:1173) and data protection
the regulation.
Justification of the decision
Legal background
EU law's regulation of the relationship between the right to protection of personal data
and the right to freedom of expression and information
The purpose of the Data Protection Regulation is to protect personal integrity in
processing of personal data and harmonizing the data protection regulation in order to
enable a free flow of personal data within the EU. In the data protection regulation
specifies the fundamental right to protection of personal data which is established in
Article 8 of the Charter of Fundamental Rights of the European Union (below
the charter). According to Article 8.1 of the charter, everyone shall have the right to protection of the
personal data concerning him or her. According to Article 8.2, personal data must
processed lawfully for specific purposes and on the basis of the data subject
consent or any other legitimate and lawful basis. Everyone has the right to receive
access to collected data concerning him or her and to have it rectified. IN
Article 8.3 stipulates that an independent authority must check that these rules
is complied with. A right that is closely linked with the right to protection for
personal data is the right to respect for private life and family life which is laid down in Article
7 of the charter.
Article 11 of the charter establishes the right to freedom of expression and information. There it is stipulated that
everyone has the right to freedom of expression. It is further stipulated that this right includes
freedom of opinion and freedom to receive and disseminate information and thoughts without public
authority involvement and independence from territorial boundaries.
Neither the right to protection of personal data nor the right to opinion and
freedom of information are absolute rights. Article 52.1 of the charter states that
limitations in the exercise of the rights and freedoms recognized in the charter shall
be prescribed by law and compatible with the essential content of these rights
and freedoms. Furthermore, it is stated that limitations, taking into account proportionality
principle, may only be done if they are necessary and actually meet the objectives of
public interest recognized by the Union or the need for protection of others
people's rights and freedoms.
Against this background, the Data Protection Ordinance has been designed with regard to other freedoms
and rights other than the right to protection of personal data, including opinion and
freedom of information. The task of balancing these two rights has essentially
handed over to the member states within the framework of the regulation in article 85. In article 85.1
4See article 1 of the data protection regulation and i.a. recital 10 to the regulation.
5 Cf. recital 1 to the data protection regulation.
6See recital 4 of the data protection regulation.
7 Cf. the EU Court's judgment Buivids, C-345/17, EU:C:2019:122, p. 50. Data Protection Agency Diary number: IMY-2022-1621 12(28)
Date: 2022-09-13
the data protection regulation stipulates an obligation for member states to harmonize
the right to privacy according to the data protection regulation with opinion and
freedom of information, including processing that takes place for journalistic purposes or
for academic, artistic or literary creation. According to Article 85.2 shall
Member States, for processing that takes place for journalistic purposes or for
academic, artistic or literary creation, establish exceptions or deviations
from chapter II (principles), chapter III (data subject's rights), chapter IV
(personal data controller and personal data assistant), chapter V (transfer of
personal data to third countries or international organizations), Chapter VI
(independent supervisory authorities), Chapter VII (cooperation and consistency) and Chapter IX
(special situations when processing personal data) if these are necessary for
to reconcile the right to privacy with freedom of expression and information.
Article 52 of the statute and Article 85 of the data protection regulation thus set limits for
how Member States may combine the right to the protection of personal data with the right to
freedom of expression and information. That the rights must be combined means that one of
the rights must not be given a general priority over the other. Further get exceptions
from the right to protection of personal data according to the data protection regulation only take place if
8
the exceptions are necessary to unify the rights. The European Court of Justice has stated that
to make a balanced trade-off between the fundamental rights is required
that exceptions and limitations in relation to the protection of personal data do not apply
beyond the limits of what is strictly necessary. This statement was directive
10
95/46/EG , which was replaced by the data protection regulation, but is according to IMY's assessment
relevant also in relation to the data protection regulation.
The European Court of Justice has also ruled that in order to take into account the importance of freedom of expression i
democratic societies, the concepts associated with this, including
journalism, interpreted in a broad sense. This means, among other things, that exceptions from and
limitations of the data protection regulation should not only apply to media companies,
but on all persons who are active in journalism. It is clear from the court's practice
further that "journalistic activity" is such activity that aims to disseminate
information, opinions or ideas to the public, regardless of the medium
this happens.11
The Swedish Data Protection Act's exception for freedom of expression and information
In Swedish law, regulations based on Article 85 of the Data Protection Regulation have
announced in ch. 1 Section 7 of the law (2018:218) with supplementary regulations to the EU's
data protection regulation (hereinafter the data protection act).
In ch. 1 Section 7, first paragraph, of the Data Protection Act, an exception is made for such processing as
covered by the Freedom of Press Ordinance (TF) and the Freedom of Expression Act (YGL), below
collectively referred to as the basic media laws. The said provision states that
the data protection regulation and the data protection act shall not be applied to the extent that
would conflict with TF or YGL. According to the preparatory work, it is thereby made clear that
the basic media laws take precedence over the data protection regulation and
12
the provisions of the Data Protection Act.
8 Cf. ECJ judgment Buivids, C-345/17, EU:C:2019:122, p. 63.
9
10th ECJ judgment Buivids, C-345/17, EU:C:2019:122, p. 64.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with
11 regarding the processing of personal data and the free flow of such data.
See ECJ judgment Buivids, C-345/17, EU:C:2019:122, pp. 51–53.
1 See prop. 2017/18:105, p. 187. The Swedish Privacy Agency Diary number: IMY-2022-1621 13(28)
Date: 2022-09-13
The basic media laws provide far-reaching protection for freedom of expression and information.
For example, according to the so-called instruction, the person who is to judge abuse should
of the freedom of the press and expression – or in other ways watch over that the constitutions are complied with
- always bear in mind that the freedom of the press and expression are the foundations of a free
social condition, always pay attention to the subject and the thought more than the expression
illegality, as well as the purpose more than the method of presentation and in doubtful cases rather
free from trap (ch. 1 § 10 TF and ch. 1 § 15 YGL). Furthermore, an authority may not
prohibit or impede such provision due to its content, without support i
the constitution, the so-called obstruction ban (ch. 1 § 11 YGL). In addition, an authority gets
nor intervene against anyone for abuse of freedom of expression, unless there is support for it
the intervention in the constitution (ch. 1 § 14 YGL).
In ch. 1 Section 7, second paragraph of the Data Protection Act, exceptions are made for opinion and
freedom of information outside the constitutionally protected area. The exception includes
processing of personal data that takes place for journalistic purposes or for
academic, artistic or literary creation. It could, for example, be a matter of
journalistic activity conducted in blog form but without proof of publication. IN
the provision states that Articles 5–30 and 35–50 of the EU Data Protection Regulation and
2–5 chap. The Data Protection Act shall not be applied to processing that takes place for e.g.
journalistic purposes. The exception means that the data protection regulation and
the provisions of the Data Protection Act on supervision, remedies, liability and sanctions i
the practice is applicable only to the extent of supervision of or violations of
the provisions on security for personal data. 13
The basic regulation on voluntary issuance certificates
Because the exception in ch. 1 Section 7 first paragraph of the Data Protection Act shall be applicable
it is required that it is a question of treatment that is covered by constitutional protection according to
the media fundamentals. As a general rule, publications on the internet fall outside YGL's scope
scope of application. This means that the data protection regulation is normally
applicable to such processing. However, exceptions to the main rule are made through among
otherwise the database rule (ch. 1 § 4 YGL). For the processing of personal data such as
covered by the database rule, the data protection regulation, according to ch. 1 Section 7 first paragraph
the Data Protection Act, is not applied to the extent it would conflict with
the freedom of expression basis.
Under certain conditions, the database rule provides constitutional protection for statements that take place
through provision to the public from databases. What is typically meant is
provision of stored information from websites upon request. For some
actors apply the constitutional protection automatically, i.e. without anyone special
action needs to be taken. This is the case for periodicals and editorial boards
for programs. Also other traditional mass media companies, such as book publishers
that publish printed books and news agencies, have automatic constitutional protection for theirs
databases. Other actors have the opportunity at the Norwegian Press, Radio and Television Authority
apply for a certificate of issue and thus receive so-called voluntary constitutional protection (cf. 1
Cape. § 4 first paragraph 1 d and § 5 YGL). In the case of an application for a certificate of issue, this is done
not any examination of the content or purpose of the database.
The voluntary constitutional protection for databases was introduced in 2003 following a development which
meant that other than the traditional mass media companies to an ever greater extent
had started providing information to the public on the Internet. Other media companies
and individuals had become involved in news reporting, opinion formation and
the enlightenment, and the new communication was considered necessary for
13 See prop. 2017/18:105, p. 187.
14 Prop. 2021/22:59, p. 30. The Swedish Privacy Agency Diary number: IMY-2022-1621 14(28)
Date: 2022-09-13
freedom of expression and freedom of information. Against this background, the government did
the assessment that there were reasons to offer constitutional protection equivalent to that which
15
previously had been reserved for the mass media companies also for the new actors. But
already when the voluntary constitutional protection was introduced, the constitutional committee warned
so that conflicts with the protection of personal integrity could arise
and pointed out in particular that the constitutional protection could in the worst case include
databases that are pure personal records. The Constitution Committee therefore considered that
the government should further analyze or have analyzed whether the voluntary
constitutional protection could come into conflict with the provisions intended to protect
the personal integrity. The Riksdag agreed with the committee's assessment and
17
announced this to the government.
The Free Speech Committee was tasked with analyzing the issue, but did
the assessment that there was no need for constitutional amendments. The year 2014 gave
the government Media Basic Law Committee tasked with re-investigating the issue.
The Media Basic Law Committee made the assessment that there were reasons to restrict
constitutional protection for certain types of search services and instead allow regulations on
team level. The Committee therefore proposed an express exception in TF and YGL for some
search services that provide sensitive personal data (among other things such as
revealing political or religious views or relating to health and sexual life) and information
19
about legal violations, etc. The government agreed with the committee's assessment and
proposed changes in TF and YGL in accordance with the committee's proposal. 20
The Riksdag adopted the government's proposal for amendments to TF and YGL in that part of the amendments
referred to data collections with sensitive personal data but rejected the proposal in that part
it concerned personal data on legal offences. However, the Riksdag announced for
the government that an inquiry should be commissioned to re-investigate the question of whether
limit the constitutional protection of search services that contain personal information that
individuals have committed legal offences, appear in convictions or have been
subject to criminal procedural coercive measures. 21
On January 1, 2019, the amendment to the basic media laws entered into force (ch. 1. 13 TF and 1
Cape. § 20 YGL). It is clear from these provisions that the provisions of the YGL do not
prevents regulations being issued by law prohibiting the publication of
personal data about, among other things, health (Chapter 1 § 20 first paragraph 2 YGL). This applies
only if the personal data is included in a data collection that has been arranged so that it is
possible to search for or compile these (chapter 1 § 20 second paragraph 1).
In addition, it is required that with regard to the business and the forms under which
the data collection is kept available, there are special risks of improper intrusions
the personal integrity of individuals (Chapter 1 § 20 second paragraph 2).
The government gave, in accordance with the Riksdag's announcement, the 2018 print and
freedom of expression committee tasked with investigating the question of a restriction of
the constitutional protection for data collections with information about legal violations, etc.
The committee presented proposals which meant that the existing delegation provisions
if sensitive personal data would be supplemented in such a way that personal data about
offenses were added to the list of categories of personal data that can
15 Prop. 2001/02:74, pp. 47–48.
16 Bet. 2001/02:KU21, p. 32.
SEK 17 2001/02:233.
18SOU 2009:14 and SOU 2012:55.
19
20SOU 2016:58.
21 Prop. 2017/18:49, p. 144.
See bet. 2017/18:KU16 and 2018/19:KU2, SEK 2017/18:336 and 2018/19:16. Data Protection Agency Diary number: IMY-2022-1621 15(28)
Date: 2022-09-13
regulated by common law. The committee also proposed certain other changes in
22
the design of the existing delegation provision. The government presented
proposal for changes in ch. 1 § 13 TF and ch. 1 § 20 YGL in accordance with the committee's
23
suggestions. However, the Riksdag rejected these proposals with the exception of a correction of
linguistic inaccuracies in the regulations. 24
The interpretation of ch. 1 Section 20 YGL and IMY's authority
According to ch. 1 § 20 first paragraph 2 YGL does not prevent the provisions of YGL that in law
regulations are issued on the prohibition of publication of personal data about among
other health. The first question that IMY has to decide on is thus whether
the provisions of the data protection regulation constitute such prohibition regulations
announced in law referred to in ch. 1. Section 20 YGL.
IMY makes the assessment that the expression regulations in law in ch. 1. § 20 YGL covers EU-
regulations and that regulations on prohibitions in ch. 1. § 20 YGL does not only cover clean
ban on the publication of personal data but also regulations that are smaller
intervention and which limit the possibility of publishing personal data. IMY does
this assessment for the following reasons.
When the expression "law" is used in Swedish constitutions in the way that occurs in ch. 1 Section 20
25
YGL the term normally covers EU regulations without being specified in the legal text. Of
the preparatory work for ch. 1 Section 20 YGL states that this provision must also be interpreted accordingly
this way. It states that EU regulations are equalized by law, according to the practice which
developed in connection with the existing delegation provision. It is further stated that
the provision also includes an opportunity to prescribe measures that are smaller
27
intervention than prohibition. Similar statements are made in the legislative matter of corollary
changes in ordinary law to the changes in the basic media laws. It states that
the provisions of the Data Protection Ordinance and the Data Protection Act would regulate them
data collections with personal data covered by the proposed exceptions
the provisions of the Freedom of the Press Ordinance and the Freedom of Expression Act (i.e. ch. 1
§ 13 TF and ch. 1 § 20 YGL). Also in the bill that was prompted by
the report from the 2018 Press and Freedom of Expression Committee states that
the provisions of the data protection regulation constitute such regulations in law as referred to in
1 ch. Section 20 YGL. This means that the data protection regulation must be applied in those cases
the conditions in ch. 1 § 20 YGL are fulfilled. In other words, exceptional
the provision in ch. 1 § 7 first paragraph of the Data Protection Act not applicable to such
processing because an application of the data protection regulation would not conflict with
YGL.
IMY is a supervisory authority according to the data protection regulation and thus authorized to exercise
supervision of such treatment that is exempt from constitutional protection according to ch. 1 Section 20
YGL. This means that IMY has the authority to try whether ch. 1. § 20 YGL is applicable
2SOU 2020:45.
2 Prop. 2021/22:59.
2Bet. 2021/22:KU14 appendix 3, SEK 2021/22:283.
25
See e.g. prop. 2017/18:105, pp. 27, 127, 130 and prop. 2020/21:172, p. 258. Cf. also see prop. 1999/2000:126, p.
135 f. and 272.
2 Prop. 2017/18:49, p. 147 f., 154, 188 and 255. See also SOU 2016:58, p. 406.
2 Prop. 2017/18:49, pp. 188 and 255. See also SOU 2016:58 p. 406.
2 Prop. 2021/22:59, p. 39 f. and Ds 2017:57, p. 118.
2 Prop. 2021/22:59, p. 39 f.
Section 33 of the regulation (2018:219) with supplementary provisions to the EU's data protection regulation and Section 2 a
the regulation (2007:975) with instructions for the Swedish Privacy Agency. Swedish Privacy Agency Diary number: IMY-2022-1621 16(28)
Date: 2022-09-13
on a certain processing to clarify whether the data protection regulation is applicable
31
or not.
The exception in ch. 1 § 20 YGL is applicable
In order for the delegation provision in ch. 1 § 20 YGL shall be applicable to the person in question
the processing of personal data in the Services requires that the following three conditions are met:
1) that sensitive personal data is made public (first paragraph),
2) that the data is part of a collection of data that has been arranged so that it is possible to
search for or compile these (second paragraph 1) as well as
3) that with regard to the business and the forms in which the data is collected
is kept available, there are particular risks of improper intrusion into individuals' personal
privacy (second paragraph 2).
Personal information about health is made public
IMY states at the outset that the information included in the Services is published on
the way referred to in ch. 1. Section 20 YGL. The next question is about the data that Verify
provides through the Services contain such personal data as specified in 1
Cape. § 20 YGL first paragraph. As stated above, IMY has limited its review to
rulings in cases in the general administrative courts under the Psychiatric Act
compulsory care (LPT), so-called psychiatry cases, and according to the law on the care of drug addicts in some cases
(LVM), so-called LVM targets. The sensitive personal data that may primarily appear in
such rulings are information on health according to ch. 1. § 20 YGL first paragraph 2.
According to the preparatory work, the concept of personal data on health has been taken from Article 9.1 i
data protection regulation and shall be given the same meaning as in the regulation. 32
Data on health is defined in Article 4.15 of the Data Protection Regulation as
personal data relating to a natural person's physical or mental health, including
provision of healthcare services, which provide information about his
health status.
The European Court of Justice has ruled that the special categories of personal data specified
in Article 9 of the Data Protection Regulation, i.a. information about health, must be given a broad interpretation.
According to the European Court of Justice, it is sufficient that the data indirectly discloses sensitive information to
33
to be covered by the protection in Article 9 of the Data Protection Regulation. Further includes, according to
The European Court of Justice, the concept of "data on health" all aspects of a person's health,
34
both physical and psychological ones. The European Data Protection Board (EDPB) has
stated that the concept of "information about health" should be interpreted broadly and includes, among other things
information collected by healthcare providers in a patient record (e.g. medical history
and results of examinations and treatments). 35
Verifiera's own information shows that the company provides all of the Services
rulings in psychiatry cases and LVM cases from the general administrative court since 2008
in unchanged condition.
31 Prop. 2021/22:59, pp. 53–54.
32
33 Prop. 2017/18:49, p. 188.
34 ECJ judgment Vyriausioji tarnybinės etikos komisija, C-184/20, EU:C:2022:601, pp. 125–128.
35 ECJ judgment Lindqvist, C-101/01, EU:C:2003:596, p. 50–51.
Guidelines 3/2020 on the processing of data on health for scientific research purposes in connection with covid-
19 outbreak, p. 7–8. The Swedish Privacy Agency Diary number: IMY-2022-1621 17(28)
Date: 2022-09-13
Section 3 of the LPT states that compulsory care according to that law may only be given if the patient is suffering
of a serious mental disorder and if certain other conditions are met. According to § 4 LVM
mandatory care must be ordered according to that law for someone as a result of ongoing abuse
of alcohol, drugs or volatile solvents is in need of care to get away from
his abuse and certain other prerequisites are met.
IMY finds that information that someone is or has been the subject of compulsory care with support
of LPT or LVM - which means that the prop "suffers from a serious mental disorder"
or props "as a result of ongoing abuse of alcohol, drugs or fugitives
solvent is in need of care to get out of their addiction” is fulfilled – is
information about health in the sense referred to in ch. 1. Section 20 first paragraph 2 YGL and
article 9.1 of the data protection regulation. That the actual diagnosis or cause as well
appears is not a prerequisite for this assessment.
The decisions of the general administrative courts mainly refer to review of
authorities' decisions after appeals by individuals. Some particularly drastic decisions
however, is tried or made there without the individual having appealed any decision, either
after the authority that made the decision submitted it to judicial review or applied
about the decision to be made. This applies, among other things, to psychiatric cases, where a patient who
is subject to compulsory care can appeal certain decisions connected to the care to
the administrative rights (see §§ 32 and 33 LPT) while certain more intrusive decisions must
is subject to review by the administrative court (see e.g. § 12 LPT) or is only taken after
the authority's application to the administrative court (see e.g. § 7 LPT), regardless of the individual
attitude. This also applies to LVM cases, where the court decides to prepare for compulsory care
according to LVM (see § 5) or review decisions on immediate care according to LVM
after submission (see §§ 15 and 17).
Cases in the general administrative courts are decided by judgment or decision
(collectively referred to as rulings). Such rulings must state the reasons as determined
the end (section 30 second paragraph of the Administrative Procedure Act [1971:291]). Further shall i
the decision states the parties (i.e., among other things, who has complained or who is subject
for the application or the subordinated decision), the matter in brief and to the extent that
an account of the judgment or decision which has been appealed is needed or
subordinated (Section 13 of the Ordinance [2013:390] on cases in general administrative court).
Against this background, IMY states that the general administrative courts
rulings in psychiatry cases and LVM cases typically contain information about health
the person who is the subject of compulsory care, i.e. the person who has
appealed the decision which has been made with the support of the respective law or which is the subject
for the application or the subordinated decision without appeal.
Because such rulings in their unaltered state are provided by Verify Through
The services are the criterion in ch. 1. Section 20 first paragraph YGL to sensitive personal data
published fulfilled.
The data collection has been arranged so that it is possible to search for or
compile sensitive personal data
The second question that IMY must decide on is whether the sensitive data is included in a
collection of information that has been arranged so that it is possible to search for or compile
these (chapter 1 section 20 second paragraph 1 YGL).
Initially, it is stated that the word "data collection" in YGL was chosen to avoid
confusion with the term "register", which is what is meant in normal parlance. The Swedish Privacy Agency Diary number: IMY-2022-1621 18(28)
Date: 2022-09-13
According to the preparatory work, no large amount of data is required, but there must be
personal data relating in any case to more than one person and the data must be
sorted according to some kind of system. 36
Verifiera has stated that all decisions from 2008 onwards exist and have been made
searchable in the Services and, when asked, did not provide detailed information about that number
decisions that are actually processed. IMY has therefore obtained the official statistics which
The Courts Agency has brought up settled cases in the general administrative courts.
Verifiera has had the opportunity to comment on this basis but has not submitted anything
37
opinion. The statistics show that during the period 2008–2021 there is a total of approx
210,000 decisions, of which approx. 193,000 (approx. 13,800 per year) in psychiatric cases and approx. 188
39
000 (approx. 1,300 per year) in LVM cases for rulings in the administrative courts alone. Also
if it can be assumed that some of these rulings apply to the same people, it can
it is established that it involves a large amount of information about health about a large amount
people. According to IMY, there is no doubt that it is such a case
data collection referred to in ch. 1 Section 20 second paragraph 1 YGL.
With regard to the expression “arranged so that it is possible to search for or compile
the tasks" it is stated in the preparatory work that the data collection does not need to have been structured on
a way that facilitates searching for exactly the personal data covered
the provision. For the provision to become applicable, it is sufficient that
the data collection provides the opportunity for free text searching. 40
Verifiera's own information shows that it is possible to search in the Services
the data collection through free text search as well as through special fields for searches
on name, social security number, city and address. The data collection has thus been arranged as follows
that it is possible to search for or compile sensitive personal data in that way
as referred to in ch. 1 Section 20 second paragraph 1 YGL.
There are particular risks of undue intrusions into personal privacy
Applicable regulations, etc.
The last question for the applicability of ch. 1. § 20 YGL on which IMY has to take a position
is if there are particular risks of undue intrusions into individuals' personal integrity.
According to the provision, the assessment of whether there are such special risks
be done with regard to the business and the forms under which the data collection is held
available (chapter 1 section 20 second paragraph 2 YGL). The implication is that the scope of
the provision is narrowed down and made dependent on the risks of breaching it
the personal integrity that a certain type of data collection entails. So it is
only for certain qualified situations, which entail special risks of impropriety
intrusion into the personal integrity of individuals covered. 41
36
37 Prop. 2017/18:49, p. 150.
Available here https://www.domstol.se/om-sveriges-domstolar/statistik-styrning-och-utveckling/statistik/officiell-
court statistics/.
38Decided psychiatric cases in the administrative courts per year according to statistics from the Norwegian Judicial Agency: 13,649 (2008), 13,551 (2009),
13,309 (2010), 13,267 (2011), 13,242 (2012) 12,942 (2013), 13,836 (2014), 14,034 (2015), 13,881 (2016), 13,425
(2017), 14,108 (2018), 14,561 (2019), 14,594 (2020) and 14,840 (2021).
39Decided LVM cases in the administrative courts per year according to statistics from the Norwegian Judicial Agency: 1,196 (2008), 1,166 (2009), 1
280 (2010), 1,164 (2011), 1,126 (2012), 1,222 (2013), 1,422 (2014), 1,462 (2015), 1,391 (2016), 1,390 (2017), 1,298
(2018), 1,280 (2019), 1,252 (2020) and 1,183 (2021).
40 Prop. 2017/18:49, p. 189.
41
Prop. 2017/18:49, p. 189. The Swedish Privacy Agency Diary number: IMY-2022-1621 19(28)
Date: 2022-09-13
The government stated in the bill Amended media basic laws (prop. 2017/18:49)
42
including the following.
"The proposal therefore means that an overall assessment must be made of the nature of them
data collections that are intended to be met by the applicable legal regulation.
Assessment grounds of importance should, as the committee states, be able to be
the target group of the data collections, the forms of provision and the services' search
and compilation functions. In this lies the fact that the data collections
basic structure can be attributed importance. Services that make it possible
for the public to search on e.g. name, social security number or address get
information about individuals' health, sex life or occurrence of criminal convictions
would normally entail such risks for undue privacy breaches that they
falls within the scope of the delegation provision.
[…]
Data collections with a so-called personal data related structure that aims to
Facilitating searches for personal data normally means greater risks for
undue breaches of privacy than services with a general structure that makes it possible
to search for data with free text search, although the differences are not so great that
they in themselves determine the applicability of the provision. Special search fields for someone or some
of the personal data concerned or the possibility of obtaining a compilation of
these, for example in the form of a map image, typically entail great risks for
undue intrusions into personal privacy. In this context, it should
normally irrelevant if the service is only available to professional operators.
[…]
According to the government, the starting point should be that legal databases that clearly target
themselves to a circle that, on professional grounds, has a legitimate need for them
the current information falls outside the scope of application of the provision. At
however, the assessment should also for such databases the search and
compilation functions are given importance. For example, get special search fields
for any or some of the personal data concerned or the possibility of obtaining one
compilation of these, for example in the form of a map image, typically said
entail great risks for undue intrusions into personal integrity. Such
structures should normally mean that there are conditions for legislation with support
of the delegation provision, even when legislation hits databases there
the information is provided for a fee and the target group is professional.”
43
The Constitution Committee stated, among other things, the following:
"The committee opposes making a distinction between whether a service addresses
the general public or a certain professional category. A search service that caters to the broad
the public can in and of itself mean a greater breach of privacy than a search service
which is only open to a smaller circle, e.g. a certain occupational category. But also one
search service that caters to a certain occupational category may become available for
a very large number of users. The committee does not consider that the target group, i.e. the
intended or actual user group, in itself must be given some meaning at
the assessment of whether a collection of data falls within or outside it
constitutionally protected area. The assessment should instead be made on the basis of
42 Prop. 2017/18:49, pp. 152–153 and 190.
43 Bet. 2017/18:KU16, p. 41. The Swedish Privacy Agency Diary number: IMY-2022-1621 20(28)
Date: 2022-09-13
the purpose of the provision of the data collection and the type of data
provided. Privacy breaches resulting from data collections provided
with the aim of contributing to a free exchange of ideas and a free and comprehensive information can
are not considered inappropriate and should therefore be excluded as a starting point
the scope of the delegation provisions. The committee wishes to underline that
it is very important that a significant margin be applied as to what
falls within the constitutionally protected area so that the interest in freedom of expression does not get
give way to the interest in protecting the privacy of individuals in borderline cases or those that are difficult to judge
situations. Such an approach also gains support in the so-called the instruction i
the constitutions, according to which the person entrusted to judge or watch over print and
freedom of expression should always bear in mind that freedom of press and expression is a foundation
for a free state of society, should always pay attention to the subject and the thought more than
the expression as well as the purpose more than the method of presentation and in doubtful cases rather should
free than trap. Pure search services for the provision of sensitive personal data
according to the exhaustive enumeration in the provision can be said to be far from them
purposes which the constitutions are to protect, and such services are thus met
typically by the delegation provisions.”
IMY's assessment
According to IMY, the reported operator's statements mean the following in summary.
What the constitutional committee stated in connection with the constitutional amendment means that it
when assessing the risks of privacy breaches according to ch. 1 § 20 YGL should not
is any significance attached to whether a search service addresses the general public or
is available for a certain occupational category. Instead, an overall assessment must be made
taking into account, among other things, the purpose of providing the data collection,
the type of data provided and search and aggregation functions.
It should be taken into account that data collections aimed at facilitating searches for
in particular, personal data normally involves greater risks. However, data collections should
which is provided with the aim of contributing to a free exchange of meaning and a free and versatile
information is not considered improper and should therefore be excluded as a starting point
the scope of application of ch. 1 Section 20 YGL.
The collection of data that Verifiera provides is the result of an extensive
collection of judicial decisions in psychiatry cases and LVM cases that contain a lot
privacy-sensitive information. The collection takes place without assessment of its relevance
the individual decision has for e.g. the public debate or investigative journalism.
The result is a collection of data on everyone who has been the subject of this since 2008
compulsory care due to mental illness or substance abuse.
It also appears from the investigation that the purpose of the data collection is, among other things, to
provide background checks in, for example, recruitment. Treatment of them
the current data on health in such contexts can lead to noticeable
consequences for the data subjects.
It appears from Verifiera's own data that the data collection has been structured in this way
that when searching for people, there are special search fields for name, social security number, city, address
and free text and that search results are displayed in real time. Furthermore, it has not appeared to Verify
taken any measures to exclude or limit the possibility of applying to
data that can be directly attributed to a natural person, such as name or
social security number. Nor has it appeared that Verify removed or masked
such information in the documents. The Swedish Privacy Agency Diary number: IMY-2022-1621 21(28)
Date: 2022-09-13
According to IMY's assessment, it is a question of such a search service for the provision of
sensitive personal data which, in accordance with what the constitutional committee stated in
connection with the constitutional amendment, is far from the purposes for which the constitutions are intended
to protect.44
All in all, this means, according to IMY's assessment, that Verified publication of
the collection of data entails special risks for improper interference with individuals' personal information
integrity. Thus, the third and last criterion in ch. 1 is also § 20 YGL fulfilled.
Summative assessment
In conclusion, IMY does – even taking into account the significant
assessment margin as assigned by the constitutional committee – the assessment to Verify
provides such a data collection as referred to in ch. 1. § 20 YGL, in that part
the collection of information involves the publication of decisions in psychiatric cases and LVM-
goal. This part of the data collection is thus not protected according to YGL, which means
that the exception in ch. 1 Section 7 first paragraph of the Data Protection Act is not applicable to
the treatment.
The next issue that IMY has to assess is whether the exception for journalistic purposes in 1
Cape. Section 7, second paragraph, of the Data Protection Act is applicable to the processing.
The processing does not take place for journalistic purposes
Applicable regulations, etc.
Through ch. 1 Section 7, second paragraph of the Data Protection Act exempts large parts of
the data protection regulation for processing that takes place for, among other things, journalistic purposes
purpose. According to the exception, articles 5–30 and 35–50 of the data protection
the regulation and ch. 2–5 in the Data Protection Act applies to such processing.
The European Court of Justice has judged that in order to take into account the importance of freedom of expression in democratic
societies, the concepts associated with this, including journalism, must be interpreted
in a broad sense. This means, among other things, that exceptions from and limitations of
the data protection regulation should not only apply to media companies, but to everyone
persons who are active in journalism. The practice of the European Court of Justice also shows that
"journalistic activity" is such activity aimed at disseminating information,
45
opinions or ideas to the public, regardless of the medium through which this occurs.
At the same time, the European Court of Justice has ruled that not all information that is made available on
internet and which contains personal data is covered by the term "journalistic
Operation". The European Court of Justice has further found in the judgment Google Spain and Google that
a search engine provider's processing through the provision of the search engine could not
considered to be for journalistic purposes. 47
In the ministerial memorandum Consequential changes to amended media fundamental laws, it was stated
i.a. the following in the matter of search services with criminal convictions could be covered
the concept of journalistic activity.
"With this assessment, it is difficult to imagine a situation where it
the committee mentioned the typical case of a data collection that is hit by the exceptions i
44Bet. 2017/18:KU16, p. 41.
45 ECJ judgment Buivids, C-345/17, EU:C:2019:122, pp. 51–53.
46 ECJ judgment Buivids, C-345/17, EU:C:2019:122, p. 58.
47 ECJ judgment Google Spain and Google, C-131/12, EU:C:2014:317, p. 85. Data Protection Agency Diary number: IMY-2022-1621 22(28)
Date: 2022-09-13
the Freedom of the Press Ordinance and the Freedom of Expression Act – one aimed at the general public
pure search service regarding criminal convictions - with application of the
The European Court of Justice indicated that the proportionality assessment would be considered to fail
the journalist exception in the data protection act. This taking into account that the data
quite obviously are very sensitive to privacy and then such a register cannot
said to inform, exercise criticism and provoke debate on social issues of importance to
the public. It would therefore go too far to claim that an exception from
the protection of personal data in such a case is strictly necessary. That may also be considered to be the case
the case of other sensitive personal data regarding, for example, ethnic background,
sexual orientation or religious beliefs.
As stated in section 5.2.2, it is also relevant for the search service in question
contains editorial material. It would, however, be required that the connection between
the personal data and the editorial feature appear clear and relevant
so that the exception for journalistic activities can be invoked. Regarding
the example of a private load register directed at the public is made
the assessment that this cannot reasonably fall under the journalist exception simply because
there are also independent articles and legal articles in connection with the register
analyzes. Another arrangement would mean that privacy protection can easily
circumvented in a way that cannot be considered responsive to the balanced assessment
between the protection of privacy and freedom of expression as indicated by the European Court of Justice
The Satakunnan goal.” 48
In the bill An appropriate protection for the freedom of the press and expression (prop.
2021/22:59, p. 54) the following was stated:
"Against that background, it is difficult to imagine a situation where one
data collection provided in a constitutionally protected activity is exempt
from constitutional protection due to the nature of the data collection but is covered by
the data protection act's journalist exception. An assessment of every conceivable situation can
although of course not generally done in advance. When the delegation provisions well
are applicable, it may be determined in the usual way in the individual case which requirements in
the data protection regulation that the provider of the data collection needs
follow."
The Swedish Privacy Protection Authority's assessment
The issue that IMY has to decide on is about the processing of personal data
health that Verify performs by including rulings in psychiatry targets and LVM targets i
The services are provided for journalistic purposes in the sense referred to in ch. 1. § 7 second
49
paragraph of the Data Protection Act and Article 85 of the Data Protection Ordinance. It can
initially ascertained, in accordance with what appears from the operator's statements
above, that the scope for assessing that a data collection covered by ch. 1 Section 20
YGL is done for journalistic purposes must be considered very limited.
IMY further notes that the fact that a website contains certain
publications with a journalistic purpose does not mean that all publications on it
50
the website must be considered to have a journalistic purpose. That in connection with a
data collection with legal rulings there are independent articles and legal
analyzes thus do not automatically mean that the entire data collection has one
48Ds 2017:57, p. 121.
49 For a more extensive review of the interpretation of the term "journalistic purposes", see IMYRS 2022:2, which
is available here https://www.imy.se/globalassets/dokument/rattsligt-stallningstagande/imyrs-2022-2-undantaget-
for-journalistic-andamal.pdf.
50 See NJA 2001 p. 409, Ds 2017:57, p. 121 and IMYRS 2022:2, pp. 25–27. Privacy Protection Agency Diary number: IMY-2022-1621 23(28)
Date: 2022-09-13
journalistic purpose. It should be required that the connection between the personal data and that
the editorial element appears to be clear and relevant because the exception for
journalistic activity must be able to be invoked. It has not emerged in the case that it
there is an editorial content with a clear and relevant connection to it in the case
current part of the data collection with decisions in psychiatry cases and LVM cases.
The investigation shows that the Services aim, among other things, to provide
personal data for background checks of natural persons in connection with, for example
recruitment. According to IMY's assessment, such processing of personal data cannot
considered to have journalistic purposes. However, Verifiera has stated that the Services also have
purposes other than background checks, e.g. research. As IMY notes above, it is
data collection that Verify provides the result of an extensive collection of
legal rulings with very privacy-sensitive information. The collection takes place without
assessment of the relevance of the ruling for e.g. the general debate or
investigative journalism. There is also no processing of the rulings, e.g.
to remove direct personal data such as name and social security number. The result is one
data collection in which it is possible to search for anyone who has been the subject of since 2008
compulsory care due to mental illness or substance abuse. This data collection cannot
is considered to have the main purpose of disseminating information, opinions or ideas to
the public in the manner referred to in ch. 1. Section 7 second paragraph of the Data Protection Act and
Article 85 of the Data Protection Ordinance.
For the purpose of Verify stated that the activity is necessary for the common man
legitimate interest in obtaining access to public documents, there is reason to underline
that the relationship that the public may have a legitimate interest in taking part in
public documents in an easily accessible way does not in itself mean that Verifiera has one
journalistic purpose with its treatment. The European Court of Justice stated in the judgment
Google and Google Spain that the public could have a legitimate interest in participating
information by searching a person's name in a search engine. At the same time beat
the court held that the search engine provider could not invoke the exception for
journalistic purposes when processing personal data in such searches. This
applied according to the court even in cases where the search hit referred to a newspaper article and in itself had
52
journalistic purposes. According to IMY's assessment, the business Verifiera is located
conducts through the relevant part of the data collection in the case, on the corresponding
way as a search engine provider's business, outside of the journalistic exception
purpose.
In summary, IMY makes the assessment that the publication of rulings is verified in
the target types in question are not covered by the exception in ch. 1. Section 7, second paragraph
the data protection act.
Verifiera is the personal data controller for the processing
As can be seen above, IMY makes the assessment that the data protection regulation is applicable to
processing in the Services.
The personal data controller according to the data protection regulation is the person who alone or
together with others determines the purposes and means for the processing of
personal data (Article 4.7).
51 See IMYRS 2022:2, p. 23 f.
52 ECJ judgment Google Spain and Google, C-131/12, EU:C:2014:317, p. 81, 85 and 95. Data Protection Agency Diary number: IMY-2022-1621 24(28)
Date: 2022-09-13
IMY states that it is Verifiera that provides the Services for financial consideration
compensation to paying users. Furthermore, Verify has stated that it is Verify
who decide on the purposes and means for the personal data processing of their service,
let it be that Verifiera points out that "in journalistic terms, it is the user who
decides on the purposes, in the same way that a newspaper reader himself decides
the target when this takes part in a published magazine, and not the newsroom which
published the paper.”
Against this background, IMY finds that Verifiera is the personal data controller for
the personal data processing consisting of the provision of the Services and
the data collection.
The processing is contrary to Article 9 of the Data Protection Regulation
Applicable regulations
As stated above, IMY makes the assessment that Verifiera processes sensitive data
personal data consisting of information about health in the Services. According to Article 9.1 i
data protection regulation, the processing of such data is generally prohibited.
In order for the processing to be permitted, it is required that one of the exceptions specified in
Article 9.2 of the Data Protection Regulation is applicable to the processing.
According to Article 9.2 a of the data protection regulation, the prohibition in Article 9.1 shall not be applied
the data subject has expressly consented to the processing.
According to Article 9.2 g, the prohibition in Article 9.1 does not apply if the processing is necessary for
consideration of an important public interest, on the basis of Union law or Member
the national law of the states, which must be proportionate to the intended purpose, be
consistent with the essential content of the right to data protection and contain
provisions on appropriate and specific measures to ensure the registered
fundamental rights and interests.
Consent
The collection of information that is the subject of IMY's review consists of a large number
legal rulings in psychiatry and LVM cases. The data collection is used by Verify
to provide the Services. One of these is called the background check service.
Verifiera has argued that express consent, according to Article 9.2 a of the data protection
regulation, exists for the part of the processing that relates to this service. IMY
notes, however, that Verifiera obtains consent only in connection with a
background check is ordered from Verify. Consent is thus only given after
Verify performed the treatments to collect and arrange for searchability the decisions therein
the sensitive personal data is processed. A consent that is obtained after the fact is
not valid. There is therefore no reason to state about the express consent which
Verifiera claims to collect otherwise meets the conditions of the data protection regulation.
Article 9.2 g and freedom of expression and information
Regarding the processing in general, Verifiera has claimed that the processing "is
necessary for purposes relating to Verified's legitimate interest in being able to operate its
constitutionally protected activity within the framework of its certificate of issue". According to Verify
in the present case, the interests of the data subjects do not outweigh the right to
freedom of speech. Finally, state Verify that the documents in the data collection exist
available through the majority of other sources as well as what type of ruling applies
should be uninteresting as courts have to apply confidentiality to the extent that information about
health exists. The Swedish Privacy Protection Agency Diary number: IMY-2022-1621 25(28)
Date: 2022-09-13
IMY initially states that legitimate interest (also called balancing of interests) is
one of several legal bases according to Article 6.1 f of the Data Protection Regulation which is required for
that the processing of personal data must be legal. However, this basis is not included in it
enumeration of exceptions in Article 9.2 which can legitimize the treatment of such
sensitive personal data referred to in Article 9.1 and which is now in question. Like that
of course, Verify with the above stated that the exception in Article 9.2
g constitutes legal support for the processing.
IMY notes that the public's freedom of expression and information is an important general principle
interest. This is also expressed in Article 85 of the Data Protection Regulation which
imposes an obligation on Member States to incorporate in law the right to privacy i
in accordance with the data protection regulation with freedom of expression and information. According to
Article 85(2) of the Data Protection Regulation, Member States may make exceptions to
the provisions of, among other things, Article 9 if it is necessary to combine the right to
integrity with freedom of expression and information. In Swedish law, this has taken place through 1
Cape. Section 7 of the Data Protection Act, which according to IMY's assessment in this decision is not applicable
on the portion of Verifiera's data collection reviewed in this decision.
The regulation in the data protection regulation can be interpreted as only Article 85 which,
in accordance with the principle of lex specialis, must be used to regulate in national law
the relationship between the right to protection of personal data and the right to expression and
freedom of information. According to IMY, however, it cannot be ruled out that, in addition, it is possible to
introduce national regulation of the kind referred to in Article 9.2 g of the data protection regulation
to provide support for the processing of sensitive personal data that is necessary to
cater for the public's freedom of expression and information. Such regulation would
among other things need to contain provisions on appropriate and special measures to
ensure the data subject's fundamental rights and interests. Someone like that
however, regulation has not been introduced into Swedish law. There is thus no option for Verify
to apply Article 9.2 g of the data protection regulation with reference to the public
freedom of expression and information.
Article 9.2 g and the principle of publicity
Verifiera has also stated that the processing in the data collection is necessary for
the common man's legitimate interest in that, within the framework of Verified constitutional protection,
get access to public documents available in the Services. IMY therefore finds reasons
to assess whether the rules on the publicity principle in ch. 2 TF can provide support for Verified
treatment.
The data protection regulation regulates the relationship between the right to protection for
personal data and the principle of publicity in Article 86. It states that personal data i
public documents kept by an authority, a public body or a private one
body for carrying out a task of public interest may be disclosed by the authority
or the body in accordance with the national law of the Member State to adjust
combines the public's right to access public documents with the right to protection
for personal data in accordance with the regulation. In ch. 1 Section 7 first paragraph
the data protection act has also introduced regulations that make it clear that
the data protection regulation shall not be applied to the extent that it would conflict with
53
the rules on public documents in ch. 2 TF.
The provisions on the public record in ch. 2. TF gives everyone the right to take part
of public documents that are not covered by confidentiality. For it to be a matter of
5 Prop. 2017/18:105, pp. 42–43. The Swedish Privacy Agency Diary number: IMY-2022-1621 26(28)
Date: 2022-09-13
a public document, the document must be kept with an authority or another body
which is covered by the principle of publicity (Chapter 2, Sections 4 and 5 TF). The rules in ch. 2 TF
thus does not give the public a right to take part in public documents released by
an organization which, like Verify, is not subject to the obligation to disclose
documents according to the principle of publicity.
The rules in ch. 2 TF also does not give a right to the person who receives public documents
to spread them further or further process them in another way. the purpose with
the publicity principle, as expressed in ch. 2. § 1 TF, is admittedly that
promote a free exchange of ideas, a free and comprehensive enlightenment and a free artistic
creative. However, the further processing of disclosed public documents is covered
not of the provisions in ch. 2. TF without other rules, especially other parts of
the media fundamentals. The basic media laws give, among other things, the right to publish general information
documents or information from such documents and to disseminate such publications
(see, among other things, ch. 1 § 1 second paragraph and ch. 6 TF and ch. 3 YGL).
It should be emphasized that the Swedish data protection regulation creates a large scope
to further process personal data in public documents to satisfy it
fundamental importance that freedom of press and expression has for the Swedish language
state of affairs. This takes place through the exception for the basic media laws in ch. 1. Section 7 first
paragraph of the Data Protection Act and the exception for, among other things, journalistic purposes in 1
Cape. Section 7, second paragraph of the Data Protection Act. As IMY notes in this decision, covered
however, not the personal data processing of these exceptions in question.
Against this background, IMY states that ch. 2 TF does not regulate Verified
publication of sensitive personal data and therefore cannot constitute a basis according to
9.2 g of the data protection regulation for this processing. In addition, it can be stated that
the rules in ch. 2 Nor does the TF contain any such appropriate and special measures
to protect the rights of the data subjects in the further processing of released public data
actions.
Conclusions
Since nothing has come to light to suggest that any other exception in Article 9.2 is
applicable, IMY finds that Verify during the period 6 April 2022 – 28 June 2022 has
processed sensitive personal data (data on health) in violation of Article 9 i
the data protection regulation in its services at www.verifiera.se.
Choice of intervention
From article 58.2 i and article 83.2 of the data protection regulation it appears that IMY has
power to impose administrative penalty charges in accordance with Article 83.
Depending on the circumstances of the individual case, the administrative sanction
fees are imposed in addition to or instead of the other measures referred to in Article 58(2), which
for example injunctions and prohibitions. Furthermore, Article 83.2 states which factors
which shall be taken into account when deciding whether administrative penalty charges shall be imposed and at
determining the size of the fee. If it is a question of a minor violation, IMY gets
as set out in recital 148 instead of imposing a penalty charge issue one
reprimand according to article 58.2 b. Consideration must be given to aggravating and mitigating factors
circumstances of the case, such as the nature, severity and duration of the infringement
as well as previous violations of relevance.
IMY has established that during the relevant period, Verifiera has carried out a comprehensive
collection of sensitive personal data about a large number of people in the Services through the Swedish Privacy Protection Agency Diary number: IMY-2022-1621 27(28)
Date: 2022-09-13
to publish, among other things, 210,000 decisions from the administrative courts, of which approx
193,000 are psychiatric cases and approx. 18,000 are LVM cases. The goals contain a lot
privacy-sensitive information regarding people who are or have been in a very
vulnerable situation. The result is a collection of data on everyone who has been since 2008
subject to compulsory care due to mental illness or substance abuse. Of the investigation
it further appears that the purpose of the data collection is, among other things, to provide
background checks on recruitment. Processing of the current data on health i
such contexts can lead to noticeable consequences for the registered, to
example in the form of reduced opportunities to be considered for employment and
exclusion. According to IMY, the violation of Article 9 found in this decision
thus of such scope and degree of seriousness that it would normally cause
a known penalty fee.
In this supervisory case, however, there are special circumstances that militate against a sanction
charge. It concerns the processing of personal data on a website that has a
certificate of publication and as a starting point has constitutional protection according to the basic media laws.
The limitation of the constitutional protection of data collections that make public sensitive
personal data introduced in 2019 through ch. 1 Section 20 YGL has not previously been applied
by IMY. The provision has also not, as far as can be seen, been applied by any court
or any other authority. There is thus a lack of practice regarding how constitutional
the provision - which in some respects requires relatively difficult considerations
- shall be applied. In addition, until recently there has been indicative information
on IMY's website which has been perceived as meaning that IMY has no opportunity to
intervene against web pages with proof of publication. Overall, this means according to IMY's
assessment that it would not be proportionate to impose Verify a penalty fee for
the established violations in the current case. Verify AB must therefore,
with the support of Article 58.2 b of the data protection regulation, instead a reprimand is given for it
found the violation.
The publication of the sensitive personal data means a serious
breach of privacy for the persons concerned. Verified proof of issue does not allow
any exception to the data protection regulation as long as the company continues to
publish sensitive personal data in a data collection covered by ch. 1. 20
§ YGL. It is important to ensure that this breach of privacy ends. IMY
therefore assesses that there are grounds to order Verify according to Article 58.2 d i
data protection regulation to take measures so that in the services that Verifiera offers
on www.verifiera.se is no longer possible for users of the services to search
on people with one of the search parameters personal name, social security number or address
take part in decisions in cases under the Act on Compulsory Psychiatric Care or the Act on Care
of drug addicts in certain cases concerning the wanted person. The actions must have
taken no later than eight weeks after this decision became final.
______________
This decision has been taken by the general manager Lena Lindgren Schelin after a presentation
by the lawyer Martin Wetzler. In the final proceedings, the Chief Justice David also has
Törngren, unit manager Catharina Fernquist and department director Hans Kärnlöf
participated. The lawyer Olle Pettersson has participated in the proceedings.
Lena Lindgren Schelin, 2022-09-13 (This is an electronic signature) Privacy Agency Diary number: IMY-2022-1621 28(28)
Date: 2022-09-13
How to appeal
If you want to appeal the decision, you must write to the Swedish Privacy Protection Agency. Enter in
the letter which decision you are appealing and the change you are requesting. The appeal shall
have been received by the Privacy Protection Authority no later than three weeks from the day you received it
part of the decision. If the appeal has been received in time, send
The Privacy Protection Authority forwards it to the Administrative Court in Stockholm
examination.
You can e-mail the appeal to the Privacy Protection Authority if it does not contain
any privacy-sensitive personal data or information that may be covered by
secrecy. The authority's contact details appear on the first page of the decision.
