Personal Data Act (1998:204);
issued 29 April 1998.
Be it enacted as follows.
General provisions
PurposeAofAthisA ct
Section 1 The purpose of this Act is to protect people against the violation of their personal integrity by processing of personal data.
DeviatingAprovisionsAinAanotherAenactment
Section 2 If another statute or other enactment contains provisions that deviate from this Act, those provisions shall apply.
Definitions
Section 3 In this Act the following terms are used with the meaning stated below.
Term Meaning
Processing (of personal data) Any operation or set of operations which is taken as regards personal data, whether or not it occurs by automatic means, for example collection, recording, organisation, storage, adaptation or alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking, erasure or destruction.
Blocking (of personal data) An operation that is taken in order that personal data shall be linked with information that they are restricted and about the reasons for the restriction and in order that personal data should not be provided to a third party except under the provisions of Chapter 2 of the Freedom of the Press Act.
Recipient A person to whom personal data is provided. However, when personal data is provided in order that an authority should be able to perform such supervision, control or audit that it is under a duty to attend to, the authority shall not be regarded as a recipient.
Personal data All kinds of information that directly or indirectly may be referable to a natural person who is alive.
2
Controller of personal A person who alone or together with others decides data the purpose and means of processing
personal data.
Personal data assistant A person who processes personal data on behalf of the controller of personal data.
Personal data representative A natural person, appointed by the controller of personal data, who shall independently assure that the personal data is processed in a correct and lawful manner.
The registered person A person to whom the personal data relates.
Consent Every kind of voluntary, specific and unambiguous expression of will by which the registered person, after having received information, accepts processing of personal data concerning him or her.
Supervisory authority The authority appointed by the Government to perform supervision.
Third country A state that is not included in the European Union or part of the European Economic Area.
Third party A person other than the registered person, the controller of personal data, the personal data representative, the personal data assistant and such persons who under the direct responsibility of the controller of personal data or the personal data assistant is authorised to process personal data.
Scope
TheAterritorialAscope
Section 4 This Act applies to those controllers of personal data who are established in Sweden.
The Act is also applicable when the controller of personal data is established in a third country but for the processing of the personal data uses equipment that is situated in Sweden. However, this does not apply if the equipment is only used to transfer information between a third country and another such country.
In the case referred to in the second paragraph, first sentence, the controller of personal data shall appoint a representative for himself who is established in Sweden. The provisions of this Act concerning the controller of personal data shall also apply to the representative.
3
ProcessingAofApersonalAdataAsubjectAtoAtheA ct
Section 5 This Act applies to such processing of personal data as is wholly or partly automated.
The Act also applies to other processing of personal data, if the data is included in or is intended to form part of a structured collection of personal data that is available for searching or compilation according to specific criteria.
ExemptionAofAprivateAprocessingAofApersonalAdata
Section 6 This Act does not apply to such processing of personal data that a natural person performs in the course of activities of a purely private nature.
RelationshipAtoAfreedomAofAtheApressAandAfreedomAofAexpression
Section 7 The provisions of this Act are not applied to the extent that they would contravene the provisions concerning the freedom of the press and freedom of expression contained in the Freedom of the Press Act or the Fundamental Law on Freedom of Expression.
The provisions of Sections 9–29 and 33–44 and also Section 45, first paragraph, and Sections 47–49 shall not be applied to such processing of personal data as occurs exclusively for journalistic purposes or artistic or literary expression.
RelationshipAtoAtheAprincipleAofApublicAaccessAtoAofficialAdocuments
Section 8 The provisions of this Act are not applied to the extent that they would limit an authority’s obligation under Chapter 2 of the Freedom of the Press Act to provide personal data.
Nor do the provisions prevent an authority from archiving or saving official documents or that archive material is taken care of by an archive authority. The provisions of Section 9, fourth paragraph, do not apply to the use by an authority of personal data in official documents.
FundamentalArequirementsAforAprocessingAofApersonalAdata
Section 9 The controller of personal data shall ensure that
a) personal data is processed only if it is lawful,
b) personal data is always processed in a correct manner and in accordance with good practice,
c) personal data is only collected for specific, explicitly stated and justified purposes,
d) personal data is not processed for any purpose that is incompatible with that for which the information is collected,
4
e) the personal data that is processed is adequate and relevant in relation to the purposes of the processing,
f) no more personal data is processed than is necessary having regard to the purposes of the processing,
g) the personal data that is processed is correct and, if it is necessary, up to date,
h) all reasonable measures are taken to correct, block or erase such personal data as is incorrect or incomplete having regard to the purposes of the processing, and
i) personal data is not kept for a longer period than that as is necessary having regard to the purpose of the processing.
However, as regards the first paragraph, d), the processing of personal data for historical, statistic or scientific purposes shall not be regarded as incompatible with the purposes for which the information was collected.
Personal data may be kept for historical, statistic or scientific purposes for a longer time than that stated in the first paragraph i). However, personal data may not in such cases be kept for a longer period than is necessary for these purposes.
Personal data that is processed for historical, statistical or scientific purposes may be used in order to take measures as regards the person registered only if the person registered has given his/her consent or there is extraordinary reason having regard to the vital interests of the registered person.
WhenAprocessingAofApersonalAdataAisApermitted
Section 10 Personal data may be processed only if the registered person has given his/her consent to the processing or if the processing is necessary in order
a) to enable the performance of a contract with the registered person or to enable measures that the registered person has requested to be taken before a contract is entered into,
b) that the controller of personal data should be able to comply with a legal obligation,
c) that the vital interests of the registered person should be protected,
d) that a work task of public interest should be performed,
e) that the controller of personal data or a third party to whom the personal data is provided should be able to perform a work task in conjunction with the exercise of official authority, or
f) that a purpose that concerns a legitimate interest of the controller of personal data or of such a third party to whom personal data is provided should be able to be satisfied, if this interest is of greater weight than the interest of the registered person in protection against violation of personal integrity.
5
DirectAmarketing
Section 11 Personal data may not be processed for purposes concerning direct marketing, if the registered person gives notice in writing to the controller of personal data that he/she opposes such processing.
RevocationAofAconsent
Section 12 In those cases where processing of personal data is only permitted when the registered person has provided his/her consent under Section 10, 15 or 34, the registered person is entitled to revoke at any time consent that has been given. Further personal data about the registered person may not subsequently be processed.
A registered person is not entitled, beyond that provided by the first paragraph and Section 11, to oppose such processing of personal data as is permitted under this Act.
ProhibitionAagainstAprocessingAofAsensitiveApersonalAdata
Section 13 It is prohibited to process personal data that reveals
a) race or ethnic origin,
b) political opinions,
c) religious or philosophical beliefs, or
d) membership of a trade union.
It is also prohibited to process such personal data as concerns health or sex life.
Information of the kind referred to in the first and second paragraphs is designated as sensitive personalAdataAin this Act.
ExemptionsAfromAtheAprohibitionAofAprocessingAsensitiveApersonalAdata
Section 14 Despite the prohibition of Section 13 it is permitted to process sensitive personal data in those cases stated in Sections 15–19.
In Section 10 there are provisions concerning the cases in which processing of personal data is not permitted in any case whatsoever.
ConsentAorApublicising
Section 15 Sensitive personal data may be processed if the registered person has given his/her explicit consent to processing or in a clear manner publicised the information.
6
NecessaryAprocessing
Section 16 Sensitive personal data may be processed if the processing is necessary in order that
a) the controller of personal data should be able to comply with his/her duties or exercise his/her rights within employment law,
b) the vital interests of the registered person or some other person should be able to be protected and the registered person cannot provide his/her consent, or
c) legal claims should be able to be established, exercised or defended.
Information that is processed on the basis of the first paragraph a) may be disclosed to a third party only if there is within employment law an obligation for the controller of personal data to do so or the registered person has explicitly consented to the provision.
Non-profitAorganisations
Section 17 Non-profit organisations with political, philosophical, religious or trade union objects may within the framework of their operations process sensitive personal data concerning the members of the organisation and such other persons who by reason of the objects of the organisation have regular contact with it. However, sensitive personal data may be provided to a third party only if the registered person explicitly consents to it.
HealthAandAhospitalAcare
Section 18 Sensitive personal data may be processed for health and hospital care purposes, provided the processing is necessary for
a) preventive medicine and health care,
b) medical diagnosis,
c) health care or treatment, or
d) management of health and hospital care services.
A person who is professionally operational within the health care sector and is subject to a duty of confidentiality may also process sensitive personal data that is subject to the duty of confidentiality. This also applies to the person who is subject to a similar duty of confidentiality and who has received sensitive personal data from the operation within the health care sector.
ResearchAandAstatistics
Section 19 Sensitive personal data may be processed for research and statistics purposes, provided the processing is necessary in the manner stated in Section 10 and provided the interest of society in the research or statistics project within which the processing is included is manifestly
7
greater than the risk of improper violation of the personal integrity of the individual that the processing may involve.
If the processing has been approved by a research ethics committee, the prerequisites under the first paragraph shall be deemed satisfied. Research ethics committee means such special body for consideration of research ethics issues that has representatives for both the public and the research and that is linked to a university or a university college or to some other instance that to a very substantial extent funds research.
Personal data may be provided to be used in such projects referred to in the first paragraph, unless otherwise provided by the rules on secrecy and confidentiality.
uthorisationAtoAprescribeAfurtherAexemptions
Section 20 The Government or the authority appointed by the Government may issue regulations on further exemptions from the prohibition in Section 13 if it is necessary having regard to an important public interest.
InformationAconcerningAlegalAoffences,Aetc.
Section 21 It is prohibited for other parties than public authorities to process personal data concerning legal offences involving crime, judgments in criminal cases, coercive penal procedural measures or administrative deprivation of liberty.
The Government or the authority appointed by the Government may issue regulations on exemptions from the prohibition in the first paragraph.
The Government may in an individual case decide on an exemption from the prohibition in the first paragraph. The Government may delegate power to the supervisory authority to make such decisions.
ProcessingAofApersonalAidentityAnumbers
Section 22 Information about personal identity numbers or classification numbers may, in the absence of consent, only be dealt with when it is clearly justified having regard to
a) the purpose of the processing,
b) the importance of a secure identification, or
c) some other noteworthy reason.
8
Information to the registered person
InformationAshouldAbeAprovidedAvoluntarily
Section 23 If data about a person is collected from the person him/herself, the controller of personal data shall in conjunction therewith voluntarily provide the registered person with information about the processing of the data.
Section 24 If personal data has been collected from another source than the registered person, the controller of personal data shall voluntarily provide the registered person with information about the processing of the data when it is registered. However, if the data is intended to be disclosed to a third party, the information need not be given before the data has been disclosed for the first time.
Information under the first paragraph need not be provided if there are provisions concerning the registration or disclosure of personal data in an act or some other enactment.
Nor need information be provided in accordance with the first paragraph, if it proves to be impossible or would involve a disproportionate effort. However, if the data is used to take measures concerning the registered person, the information shall be provided at the latest in conjunction with that happening.
TheAinformationAthatAmustAbeAprovidedAvoluntarily
Section 25 Information under Section 23 or 24 shall comprise
a) information concerning the identity of the controller of personal data,
b) information concerning the purpose of the processing, and
c) all other information necessary in order for the registered person to be able to exercise his/her rights in connection with the processing, such as information about the recipients of the information, the obligation to provide information and the right to apply for information and obtain rectification.
However, information need not be provided regarding such matters as the registered person already knows of.
InformationAshallAbeAprovidedAuponAapplication
Section 26 The controller of personal data is liable to provide, to every natural person who requests it, free of charge notification once per annum of whether personal data concerning the applicant is processed or not. If such data is processed, written information shall also be provided about
a) which information about the applicant that is processed,
b) where this information has been collected,
9
c) the purpose of the processing, and
d) to which recipients or categories of recipients the information is disclosed.
An application under the first paragraph shall be made in writing to the controller of personal data and be signed by the applicant him/herself. Information under the first paragraph shall be provided within one month from when the application was made. However, if there are special reasons for so doing, the information may be provided not later than four months after when the application was made.
Information under the first paragraph does not need to be provided about personal data in running text that has not been given its final wording when the application was made or which comprises an aideAmemoire or the like. However, that stated here does not apply if the data has only been disclosed to a third party or if the data was only processed for historical, statistical or scientific purposes or, as regards running text that has not been given its final wording, if the data has been processed for a longer period than one year.
ExemptionsAfromAtheAobligationAtoAprovideAinformationAinAtheAcaseAofAsecrecyAandAdutyAof confidentiality
Section 27 To the extent that it is specifically prescribed by a statute or other enactment or by a decision that has been issued under an enactment that information may not be provided to the registered person, the provisions of Sections 23–26 do not apply. A controller of personal data who is not an authority may in that connection in a corresponding case as referred to in the Secrecy Act (1980:100) refuse to provide information to the registered person.
Rectification
Section 28 The controller of personal data is liable at the request of the registered person to immediately rectify, block or erase such personal data that has not been processed in accordance with this Act or regulations that have been made under the Act. The controller of personal data shall also notify a third party to whom the data has been disclosed about the measure, if the registered person requests it or if more substantial damage or inconvenience for the registered person could be avoided by a notification. However, no such notification need be provided if it is shown to be impossible or would involve a disproportionate effort.
utomatedAdecisions
Section 29 If a decision that has legal effects for a natural person or otherwise has manifest effects for the natural person, is based solely on automated processing of such personal data as is intended to assess the qualities of the person, the person who is affected by the decision shall have an opportunity to have the decision reconsidered by a person upon request.
Anybody who has been the subject of such a decision as is referred to in the first paragraph is entitled to on application obtain information from the controller of personal data about what has controlled the automated processing that resulted in the decision. As regards applications and provision of information, the applicable parts of the rules under Section 26 apply.
10
Security in processing
PersonsAwhoAprocessApersonalAdata
Section 30 A personal data assistant and a person or those persons who work under the assistant’s or the controller of personal data’s direction may only process personal data in accordance with instructions from the controller of personal data.
There shall be a written contract on the processing by the personal data assistant of personal data on behalf of the controller of personal data. It shall be specifically stipulated in the contract that the personal data assistant may only process personal data in accordance with instructions from the controller of personal data and that the personal data assistant is liable to take those measures referred to in Section 31, first paragraph.
If there are special provisions in a statute or other enactment concerning processing of personal data in public operations as regards matters referred to in the first paragraph, these shall apply instead of that stated in the first paragraph.
SecurityAmeasures
Section 31 The controller of personal data shall implement appropriate technical and organisational measures to protect the personal data that is processed. The measures shall provide a level of security that is appropriate having regard to
a) the technical possibilities available,
b) what it would cost to implement the measures,
c) the special risks that exist with processing of personal data, and
d) how sensitive the personal data processed really is.
If the controller of personal data engages a personal data assistant, the controller of personal data shall ensure for him/herself that the personal data assistant can implement the security measures that must be taken and ensure that the personal data assistant actually takes the measures.
TheAsupervisoryAauthorityAmayAdecideAonAsecurityAmeasures
Section 32 The supervisory authority may in an individual case decide on which security measures the controller of personal data shall implement in accordance with Section 31.
Section 45 contains rules about the powers of the supervisory authority to make the decision subject to a default fine.
11
Transfer of personal data to a third country
ProhibitionAofAtransferAofApersonalAdataAtoAaAthirdAcountry
Section 33 It is prohibited to transfer to a third country personal data that is undergoing processing unless the third country has an adequate level of protection for personal data. The provision also applies to transfer of personal data for processing in a third country.
The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding the transfer. Particular consideration shall be given to the nature of the data, the purpose of the processing, the duration of the processing, the country of origin, the country of final destination and the rules that exist for the processing in the third country.
ExemptionsAfromAtheAprohibitionAofAtransferAofApersonalAdataAtoAaAthirdAcountry
Section 34 Notwithstanding the prohibition in Section 33, it is permitted to transfer personal data to a third country if the registered person has given his/her consent to the transfer or if the transfer is necessary for
a) the performance of a contract between the registered person and the controller of personal data or the implementation of precontractual measures taken in response to the request of the registered,
b) the conclusion or performance of a contract between the controller of personal data and a third party which is in the interest of the registered person,
c) the establishment, exercise or defence of legal claims, or
d) the protection of vital interests of the registered person.
It is also permitted to transfer personal data for use only in a state that has acceded to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
Section 35 The Government may issue regulations about exemptions from the prohibition in Section 33 of the transfer of personal data to certain states. The Government may also as regards automated processing of personal data issue regulations about transfer of personal data to a third country being permitted, provided the transfer is regulated by a contract that provides adequate safeguards to protect the rights of the registered person.
Furthermore, the Government or the authority appointed by the Government issue regulations about exemptions from the prohibition in Section 33, if this is necessary having regard to an important public interest or if there are adequate safeguards to protect the rights of the registered person.
The Government may, subject to the preconditions mentioned in the second paragraph, decide in individual cases on an exemption from the prohibition in Section 33. The Government may delegate power to the supervisory authority to make such decisions.
12
Notification to the supervisory authority
NotificationAduty
Section 36 Processing of personal data that is completely or partially automated is subject to a notification duty. The controller of personal data shall provide a written notification to the supervisory authority before such processing or a set of such processing with the same or similar purpose is conducted.
If the controller of personal data appoints a personal data representative, this shall be notified to the supervisory authority. Removal from office of a personal data representative shall also be notified to the supervisory authority.
The Government or the authority appointed by the Government may issue regulations concerning exemptions to the notification duty under the first paragraph for such kinds of processing as would probably not result in an improper intrusion of personal integrity.
NotificationAneedAnotAbeAmadeAifAthereAisAaApersonalAdataArepresentative
Section 37 Notification under Section 36, first paragraph, need not be made if the controller of personal data has given notice to the supervisory authority that a personal data representative has been appointed and who he/she is.
TheAfunctionsAofApersonalAdataArepresentatives
Section 38 The personal data representative shall have the function of independently ensuring that the controller of personal data processes personal data in a lawful and correct manner and in accordance with good practice and also points out any inadequacies to him or her.
If the personal data representative has reason to suspect that the controller of personal data contravenes the provisions applicable for processing personal data and if rectification is not implemented as soon as is practicable after being pointing out, the personal data representative shall notify this situation to the supervisory authority.
The personal data representative shall also otherwise consult with the supervisory authority in the event of doubt about how the rules applicable to processing of personal data shall be applied.
Section 39 The personal data representative shall maintain a register of the processing that the controller of personal data implements and which would have been subject to the duty of notification if the representative had not existed. The register shall comprise at least the information that a notification under Section 36 would have contained.
Section 40 The personal data representative shall assist registered persons to obtain rectification when there is reason to suspect that the personal data processed is incorrect or incomplete.
13
MandatoryAnotificationAofAprocessingAthatAisAparticularlyAsensitiveAasAregardsAintegrity
Section 41 The Government may issue regulations providing that such processing of personal data as involves particular risks for improper intrusion of personal integrity shall be notified for preliminary examination, three weeks in advance, to the supervisory authority in accordance with Section 36. If the Government has issued such regulations, the exemption from the obligation to give notification under Section 37 does not apply.
InformationAtoAtheApublicAaboutAprocessingAthatAhasAnotAbeenAnotified
Section 42 The controller of personal data shall, to everybody who requests it, expeditiously and in an appropriate manner provide information about such automated or other processing of personal data that have not been notified to the supervisory authority. The information shall comprise that which a notification under Section 36, first paragraph, would have comprised. However, the controller of personal data is not responsible to provide information subject to secrecy or information about which security measures have been taken. In that connection, a controller of personal data who is not an authority may, in a case corresponding to those referred to in the Secrecy Act (1980:100), refuse to provide information.
TheApowersAofAtheAsupervisoryAauthority
Section 43 The supervisory authority is entitled for its supervision to obtain on request
a) access to the personal data that is processed,
b) information about and documentation of the processing of personal data and security of this processing, and
c) access to those premises linked to the processing of personal data.
Section 44 If the supervisory authority cannot, pursuant to a request under Section 43, obtain sufficient information in order to conclude that the processing of personal data is lawful, the authority may prohibit, subject to a default fine, the controller of personal data to process personal data in any other manner than by storing them.
Section 45 If the supervisory authority concludes that personal data is processed or may be processed in an unlawful manner, the authority shall by a reminder or similar procedure endeavour to attain rectification. If it is not possible to obtain rectification in any other manner or if the matter is urgent, the authority may prohibit, subject to a default fine, the controller of personal data to continue processing the personal data in any other manner than by storing them.
If the controller of personal data does not voluntary comply with the decision concerning security measures under Section 32 that has entered into final legal force, the supervisory authority may prescribe a default fine.
14
Section 46 Before the supervisory authority decides a default fine in accordance with Section 44 or 45, the controller of personal data shall have been given an opportunity to express him/herself. However, if the matter is urgent the authority, pending the expression of views, may issue a temporary decision on a default fine. The temporary decision shall be reconsidered when the period for expressing views has expired.
An order for a default fine shall be served on the controller of personal data. Service under Section 12 of the Service Act (1970:428) may only be used if there is reason to assume that the controller of personal data has absconded or concealing him/herself in some other way.
Section 47 The supervisory authority may at the County Administrative Court in the county where the authority is situated apply for the erasure of such personal data as has been processed in an unlawful manner.
Decision on erasure may not be issued if it is unreasonable.
Damages
Section 48 The controller of personal data shall compensate the registered person for damages and the violation of personal integrity that the processing of personal data in contravention of this Act has caused.
The liability to pay compensation may, to the extent that it is reasonable, be adjusted if the person providing personal data proves that the error was not caused by him or her.
Penalties
Section 49 A person who intentionally or by carelessness
a) provides untrue information in such information to registered persons as is prescribed by this Act, or in the notification to the supervisory authority under Section 36 or to the supervisory authority when the authority requests information in accordance with Section 43,
b) processes personal data in contravention of Sections 13–21,
c) transfers personal data to a third country in contravention of Sections 33–35, or
d) omits to give notification under Section 36, first paragraph, or in accordance with regulations issued under Section 41,
shall be sentenced to a fine or imprisonment of at most six months or, if the offence is grave, to imprisonment of at most two years.
A sentence shall not be imposed in petty cases.
15
A person who has contravened an order subject to a default fine in accordance with Section 44 or 45, first paragraph, shall not be sentenced for liability for an act that is subject to the default fine order.
DetailedAregulations
Section 50 The Government or the authority appointed by the Government may issue more detailed regulations concerning
a) the cases in which processing of personal data is permitted,
b) the requirements which are imposed on the controller of personal data when processing personal data,
c) the cases in which use of personal identity number is permitted,
d) what a notification or application to a controller of personal data should contain,
e) which information shall be provided to the registered person and how information shall be provided, and
f) notification to the supervisory authority and procedure when information notified has been altered.
ppeals
Section 51 The supervisory authority’s decision in accordance with this Act, except as regards regulations, may be appealed against to a general administrative court.
Leave to appeal is required to appeal to the Administrative Court of Appeal.
The supervisory authority may decide that its decision should apply even if it has been appealed against.
––––––––––
EntryAintoAforceAandAtransitionalAprovisions
1. This Act enters into force on 24 October 1998, upon which the Data Act (1973:289) shall cease to apply. However, the old act still applies to issues concerning appeals of decisions that have been issued before 24 October 1998.
2. As regards processing of personal data that commenced before the entry into force, or processing conducted for a particular decided purpose if processing for the purpose was commenced before the entry into force, the old act shall apply instead of the new act up to and including 30 September 2001. This also applies to the rules in the old act on appeals.
3. The rules of Sections 9, 10, 13 and 21 in the new act shall not start to be applied before 1 October 2007 as regards such manual processing of personal data as was commenced before the entry into force, or as regards manual processing that is conducted for a
16
particular decided purpose if manual processing for the purpose was commenced before the entry into force.
4. As regards personal data that at entry into force are stored for historical research, the provisions of Sections 9, 10, 13 and 21 of the new act shall first begin to be applied when the information is processed in some other way. The corresponding rules in the old act shall be applied until then. However, the said rules in the new act shall not be applied before the time prescribed by 2 or 3 by reason of that stated here.
5. Notification under Section 36 of the new act may be made before the new act has entered into force for the processing in question.
6. Consent that has been provided before the new act has entered into force for the processing in question shall also apply after the entry into force provided the consent fulfils the requirements in the new act.
7. If a request for registration under Section 10 of the old act was received before the new act entered into force for the processing in question but has drawn out or not been carried out before entry into force, the request shall be considered to be an application under Section 26 of the new act.
8. The rules of the new act on damages shall only be applied if the circumstances to which the application relates have occurred before the new act has entered into force for the processing in question. In other cases the old rules apply.