Personal Data Ordinance (1998:1191);
issued 3 September 1998.
The Government prescribes the following.
Introductory provisions
Section 1 This Ordinance provides supplementary regulations concerning such processing of personal data as is subject to the Personal Data Act (1998:204).
Supervisory authority
Section 2 The Data Inspection Board is the supervisory authority under the Personal Data Act (1998:204).
Notification to the Data Inspection Board
Section 3 The duty of notification under Section 36, first paragraph, of the Personal Data Act (1998:204) does not apply to the processing of personal data 1. that is undertaken pursuant to an authority’s obligation under Chapter 2 of the Freedom
of the Press Act to provide official documents, 2. that is undertaken by the archive authority pursuant to the provisions of the Archives Act
(1990:782) or the Archives Ordinance (1991:446), 3. that is governed by specific regulations in a statue or enactment in other cases than those
mentioned in items 1 and 2.
Section 4 The duty of notification under Section 36, first paragraph, of the Personal Data Act (1998:204) does not apply for processing personal data in running text.
Section 5 The duty of notification under Section 36, first paragraph, of the Personal Data Act (1998:204) does not apply to processing of sensitive personal data that is performed under Section 17 of the Personal Data Act. Nor does the duty of notification apply to the corresponding processing by such an organisation of other kinds of personal data than sensitive personal data.
Section 6 The Data Inspection Board may issue regulations concerning exemptions from the duty of notification under Section 36, first paragraph, of the Personal Data Act (1998:204) for such types of processing as will be likely to result in improper intrusion of personal integrity.
Section 7 The Data Inspection Board shall, by means of automated processing, maintain a register of the processing of personal data notified to the Inspection under Section 36, first paragraph, of the Personal Data Act (1998:204).
2
Processing of information concerning legal offences, etc.
Section 8 The Data Inspection Board may as regards automated processing of personal data issue regulations about exemptions from the prohibition in Section 21 of the Personal Data Act (1998:204) for persons, other than authorities, to process personal data concerning legal offences that comprise crime, judgments in criminal cases, coercive penal procedural measures or administrative deprivation of liberty. The Data Inspection Board may also decide in individual cases on exemptions from the prohibition.
Preliminary review
Section 9 The following automated processing of personal data shall, irrespective of whether they are subject to the duty of notification under Section 36 of the Personal Data Act or not, be notified for preliminary review to the Data Inspection Board not later than three weeks in advance: 1. processing of sensitive personal data for research purposes without consent of the person
registered and which have not been approved by a research ethics committee in accordance with Section 19, second paragraph of the Personal Data Act (1998:204),
2. processing of personal data concerning hereditary disposition derived from genetic investigation.
The first paragraph does not apply to such processing of personal data as is governed by specific regulations in a statute or enactment.
Section 10 The Data Inspection Board shall as regards such processing as is notified to it in accordance with Section 9 make a special decision about whether measures by reason of the notification should be taken or not.
Transfer of personal data to third countries
Section 11 The Data Inspection Board may as regards matters of automated processing issue regulations on exemptions from the prohibition in Section 33 of the Personal Data Act (1998:204) to transfer to a third country personal data that is being processed and to transfer personal data for processing to a third country if there are adequate safeguards to protect the rights of the person registered. The Data Inspection Board may also under the same preconditions decide in individual cases on exemptions from the prohibition.
Branch agreements
Section 12 The Data Inspection Board shall at the request of an organisation that represents a substantial part of the controllers of personal data within a particular branch or within a particular sector issue an opinion on proposals for agreements as regards processing of personal data within the branch or sector (branch agreement).
An opinion under the first paragraph shall relate to the compatibility of the branch agreement with the Personal Data Act (1998:204) and other ordinances governing the processing of personal data in question.
3
The Inspection shall, before it issues its opinion, if appropriate ensure that the organisations that represent the person registered have been given an opportunity to express their views on the proposals for a branch agreement.
Authorisation
Section 13 The Data Inspection Board may on matters concerning automated processing of personal data issue further regulations concerning 1. the cases in which processing of personal data is permitted, 2. the requirements which are imposed on the controller of personal data, 3. the cases in which the use of personal identity numbers is permitted, 4. what a notification or application to a controller of personal data should contain, 5. which information should be provided to the registered person and how the information
should be provided, 6. notification to the Inspection and the procedure when notified information has been
altered.
Support to persons who are registered abroad
Section 14 A person who is resident in Sweden and who is or may be assumed to be registered in a register subject to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data in a country that has acceded to the Convention, may submit to the Data Inspection Board a request for support of the kind referred to in Article 14, Item 2 of the Convention. The Data Inspection Board shall pass on the request for protection by natural persons in automatic data processing of personal data to the other country.
The request should contain information about 1. name, address and other details necessary to identify the person who makes the request, 2. the register to which the request relates or the person who is responsible for the register, 3. the purpose of the request.
––––––––––
This Ordinance enters into force on 24 October 1998, upon which the Data Ordinance (1982:480) ceases to apply. However, the Data Ordinance still applies in those cases where the Data Act (1973:289) shall be applied in accordance with the implementation and transitional rules for the Personal Data Act (1998:204).