Stage of legislative progress 
E.g. pre-consultation, in consultation

Swedish Data Protection Act (2018:218) and Swedish Data Protection Regulation (2018:219), containing supplementary provisions to the GDPR, entered into force on 25 May 2018.

Approach to implementation 
E.g. amendments to existing law, total repeal of old laws

Personal Data Act (1998:204) repealed and replaced by the Data Protection Act (2018:218).

Timescale for implementation 
E.g. pre-consultation, in consultation

The new Data Protection Act, as well as the Swedish Data Protection Regulation entered into force on 25 May 2018.

Areas where Member States must have local laws:

Personal data and freedom of expression 

Data Protection Act paragraph 1:7: the GDPR and the Data Protection Act shall not be applied to the extent that it would breach the laws on freedom of expression. The Data Protection Act provides that articles 5-30 and 35-50 of the GDPR shall not be applicable to the processing of personal data for journalistic purposes or for purposes of academic, artistic or literary expressions.


Paragraph 6:2 of the Data Protection Act, public authorities may be subject to administrative fines. Administrative fines pursuant to article 83 may also be imposed for infringement of article 10 of the GDPR. The regulation with supplementary provisions includes further provisions on the enforcement of administrative fines, paragraphs 9-11

Areas where Member States may have local laws:

Professional secrecy 

Data subject's right to information and access to personal data does not apply to personal data subject to professional secrecy. 

Scientific, historical or statistical purposes 

The Personal Data Act paragraph 3:7: Sensitive personal data can be processed according to the GDPR Art. 9(2)(j) if the processing is necessary for statistical purposes and the public interest, for the statistics project for which the processing takes place, clearly outweighs the risk for unfair infringement of the individuals' integrity that the processing may cause.


Paragraph 3:2 provides that it is permitted to process sensitive personal data pursuant to Article 9(2)(b) of the GDPR in the field of employment. In such cases, data may only be disclosed to a third party where employment law imposes such obligation on the controller or the data subject has explicitly consented to the disclosure.

Personal data of deceased persons 

No provisions

Children online

13 years.

Special rules for special categories of data

The Act clarifies that Article 9(a), (c), (d), (e) and (f)  GDPR are directly applicable and further provides that sensitive personal data may be processed in accordance with Chapter 3, Sections 2-7 §§ of the new Data Protection Act (clarifying the criteria for processing of sensitive data under Article 9(b), (g), (h) and (j) GDPR).

Genetic, biometric or health data

Swedish Act on Patient Data (2008:355) provides further conditions for the processing of personal data in health care. 

Designation of a Data Protection Officer


National identification numbers/any other identifier of general application

The Act stipulates that information regarding personal identification numbers or classification numbers may only be processed without consent where clearly justified in light of (i) the purpose of the processing; (ii) the importance of positive identification; or (iii) some other worthy reason. The Government may issue regulations on other justifications for the processing of personal identification numbers of classification numbers. 


Any other areas under discussion
In contrast to article 2.2 (a)-(b) of the GDPR, the Data Protection Act provides that the GDPR and the Data Protection Act shall be applicable to the processing of personal data in the course of an activity (i) which falls outside the scope of Union law or (ii) which falls within the scope of Chapter 2 of Title V of the TEU.