Since 25 May 2018, the central piece of legislation for the protection of personal data has been the General Data Protection Regulation (EU) 2016/679 (GDPR). On the same date, the Swedish Data Protection Act (2018:218) (DPA) containing supplementary provisions to the GDPR, supplemented by the Data Protection Ordinance (2018:219), came into force. A great many further acts and ordinances contain regulations regarding personal data registries and other processing of personal data. This body of law is known collectively as the Registry Acts. The Registry Acts cover areas such as law enforcement, financial activities, healthcare, and much more. There is no authoritative list of the Registry Acts. Relevant legislation outside of the Registry Acts includes the Camera Surveillance Act (2018:1200) and the Electronic Communications Act (2022:482), which implement the European Electronic Communications Code Directive (EU) 2018/1972. The text of the European Convention on Human Rights (ECHR) has been incorporated into law in the ECHR Act (1994:1219).

As the GDPR is binding, the scope for its application does not deviate in Sweden from that in other Member States. The DPA states that the provisions of both the GDPR and the DPA do not apply where this would contravene the Freedom of the Press Act or the Fundamental Law on the Freedom of Expression. Articles 5–30 and 35–50 of the GDPR, and Chapters 2–5 of the DPA, do not apply to the processing of personal data carried out for journalistic purposes or for academic, artistic or literary creation.

The DPA extends the reach of the GDPR in the sense that the GDPR provisions, in the original wording, and the provisions of the DPA also apply to the processing of personal data as part of activities not covered by EU law and activities covered by Title V, Chapter 2 of the Treaty on European Union. The GDPR does not, however, extend to activities covered by national regulations on the processing of personal data related to Foreign Intelligence Operations and the Military Security Service of the Swedish Armed Forces, to Foreign Intelligence and Development Operations of the National Defence Radio Establishment, or to the Swedish Security Service.

As the GDPR is binding, the territorial scope for its application does not deviate in Sweden from that in other Member States. The DPA states that it applies to the processing of personal data carried out in the context of an establishment in Sweden of a controller or processor. The DPA also applies to the processing of personal data carried out by a controller not established in Sweden but in a place where Swedish law applies under international law. The DPA also applies to the processing of personal data carried out by controllers or processors even when they are only established in a third country and have no establishment in the EU if the processing refers to data subjects who are located in Sweden and have a connection to: (1) the offering of goods or services to such data subjects; or (2) the monitoring of their behaviour in Sweden. The DPA sets the age of consent at 13 years in relation to the direct provision of information society services to a child and applies to the processing of personal data regarding children living in Sweden, regardless of where the controllers or processors are established.

As the GDPR is binding, the same acts and operations are regulated in Sweden as in other Member States, and these do not deviate in Sweden from those of other Member States.

As the GDPR is binding, the GDPR definition of personal data applies in Sweden. The DPA does not contain supplementary regulation on the concept of personal data.

Chapter 3 of the DPA clarifies the GDPR regulation of “special categories” of personal data and of personal data relating to criminal convictions and offences. However, the DPA regulations do not materially deviate from the GDPR. 

As the GDPR is binding, the same requirements which must be fulfilled in order to process personal data under the GDPR in all Member States also apply in Sweden.

As the GDPR is binding, the same obligations apply when processing personal data in Sweden as in all Member States.

As the GDPR is binding, data subjects have the same rights in Sweden in relation to personal data as in all Member States. The DPA does limit data subjects’ right to access with regard to personal data in running text that has not taken on its final form when the request is made, or that is a note or similar. This exception does not apply if the personal data has been disclosed to a third party, is being processed only for archiving purposes in the public interest or statistical purposes, or has been processed over a period of more than one year in running text that has not taken on its final form.

Sections 19–21 of the Marketing Practices Act (2008:486) regulate what this act terms “unsolicited advertising”. Communication by electronic means in the course of marketing to a natural person requires the prior consent of the receiving person, unless the sender has obtained the natural person’s email address in connection with sales of a product to such person. The exception does not apply where the person has objected to the use of the email address information for marketing purposes by means of email, the marketing must pertain to the trader’s own, similar products, and the natural person has to have been clearly and explicitly provided the opportunity to object, simply and without charge, to the use of such information for marketing purposes when it is collected and in conjunction with each subsequent marketing communication.

The DPA does not deviate from the GDPR regulation regarding the transfer of personal data outside of the EU.

The GDPR grants many varied powers to the relevant national data protection authority. The DPA explicitly authorises the IMY to exercise the powers set out in GDPR Articles 58.1–58.3. The IMY is restricted under the DPA to imposing administrative sanctions for breaches of the GDPR as listed in Article 83, and also for breaches of Article 10. The IMY may initiate investigations as a result of complaints filed with the authority or as a result of widely reported allegations of infringement. It also conducts annual supervisory audits of different sectors of society according to a supervisory plan that is revised annually. The IMY has the power to request access to personal data that is being processed by someone in its jurisdiction, including access to the premises of the processing. It may request information and documentation regarding the processing and regarding any security measures applied to that processing. The IMY may order that certain security measures be applied to the processing, and may prohibit a controller from processing personal data in any other manner than by storing it. The administrative process followed by the IMY is governed by the DPA and the general provisions of the Administrative Procedure Act (2017:900). Decisions regarding orders or sanctions can, in accordance with the IMY’s internal procedural rules, be taken by the case officer in charge, the head of department or by the Director General, depending on the gravity or importance of the decision. There is no requirement to submit a draft decision to the receiving party for comment prior to adopting it, but this has been known to happen in a small number of cases. Administrative fines may not be imposed unless the respondent has been given an opportunity to file their opposition within five years of the alleged breach. The IMY’s decisions, according to the GDPR and national provisions for administrative fees, may be appealed to the Administrative Court. The Administrative Court procedure is almost exclusively a written procedure with no oral hearings. The Administrative Court’s decision may also be appealed to the Administrative Court of Appeal, but this requires a review permit. Sweden applies the principles of free sifting of evidence and free assessment of evidence. The administrative process is generally less stringent and is typically adapted to the type of matter, as opposed to the legal standards applied in general court proceedings. As a general rule, however, in matters regarding administrative fees, the IMY and the courts will apply the legal standard of “proven” (styrkt).

The IMY is authorised to decide on administrative sanctions against public authorities should they breach the GDPR. The penalty fee for a public authority shall be determined up to a maximum of SEK 5 million in the case of infringements referred to in Article 83(4) of the EU Data Protection Regulation, and up to a maximum of SEK 10 million in the case of infringements referred to in Articles 83.5 and 83.6 of the Regulation. Breaches of the GDPR or the DPA cannot lead to criminal penalties in Sweden, with the exception of a breach of secrecy or confidentiality by a data protection officer concerning the performance of their tasks.