| Stage of legislative progress |
|---|
| E.g. pre-consultation, in consultation |
Swedish Data Protection Act (2018:218) and Swedish Data Protection Regulation (2018:219), containing supplementary provisions to the GDPR, entered into force on 25 May 2018.
| Approach to implementation |
|---|
| E.g. amendments to existing law, total repeal of old laws |
Personal Data Act (1998:204) repealed and replaced by the Data Protection Act (2018:218).
| Timescale for implementation |
|---|
| E.g. pre-consultation, in consultation |
The new Data Protection Act, as well as the Swedish Data Protection Regulation entered into force on 25 May 2018.
Areas where Member States must have local laws:
| Personal data and freedom of expression |
|---|
Data Protection Act paragraph 1:7: the GDPR and the Data Protection Act shall not be applied to the extent that it would breach the laws on freedom of expression. The Data Protection Act provides that articles 5-30 and 35-50 of the GDPR shall not be applicable to the processing of personal data for journalistic purposes or for purposes of academic, artistic or literary expressions.
| Penalties |
|---|
Paragraph 6:2 of the Data Protection Act, public authorities may be subject to administrative fines. Administrative fines pursuant to article 83 may also be imposed for infringement of article 10 of the GDPR. The regulation with supplementary provisions includes further provisions on the enforcement of administrative fines, paragraphs 9-11
Areas where Member States may have local laws:
| Professional secrecy |
|---|
Data subject's right to information and access to personal data does not apply to personal data subject to professional secrecy.
| Scientific, historical or statistical purposes |
|---|
The Personal Data Act paragraph 3:7: Sensitive personal data can be processed according to the GDPR Art. 9(2)(j) if the processing is necessary for statistical purposes and the public interest, for the statistics project for which the processing takes place, clearly outweighs the risk for unfair infringement of the individuals' integrity that the processing may cause.
| Employment |
|---|
Paragraph 3:2 provides that it is permitted to process sensitive personal data pursuant to Article 9(2)(b) of the GDPR in the field of employment. In such cases, data may only be disclosed to a third party where employment law imposes such obligation on the controller or the data subject has explicitly consented to the disclosure.
| Personal data of deceased persons |
|---|
No provisions
| Children online |
|---|
13 years.
| Special rules for special categories of data |
|---|
The Act clarifies that Article 9(a), (c), (d), (e) and (f) GDPR are directly applicable and further provides that sensitive personal data may be processed in accordance with Chapter 3, Sections 2-7 §§ of the new Data Protection Act (clarifying the criteria for processing of sensitive data under Article 9(b), (g), (h) and (j) GDPR).
| Genetic, biometric or health data |
|---|
Swedish Act on Patient Data (2008:355) provides further conditions for the processing of personal data in health care.
| Designation of a Data Protection Officer |
|---|
n/a
| National identification numbers/any other identifier of general application |
|---|
The Act stipulates that information regarding personal identification numbers or classification numbers may only be processed without consent where clearly justified in light of (i) the purpose of the processing; (ii) the importance of positive identification; or (iii) some other worthy reason. The Government may issue regulations on other justifications for the processing of personal identification numbers of classification numbers.
Other:
| Any other areas under discussion |
|---|
