Stage of legislative progress 
Eg. pre-consultation, in consultation

The Government Bill was passed on the 19th of April and the new Data Protection Act (2018:218) will enter into force the 25th of May.

Approach to implementation 
Eg. amendments to existing law, total repeal of old laws

Personal Data Act (1998:204) will be repealed and replaced by the Data Protection Act containing supplementary provisions to the GDPR.

Timescale for implementation 
Eg. pre-consultation, in consultation

The new Data Protection Act will enter into force on 25 May 2018.

Areas where Member States must have local laws:

Personal data and freedom of expression 

The Data Protection Act provides that articles 5-30 and 35-50 of the GDPR shall not be applicable on processing of personal data for journalistic purposes or for purposes of academic, artistic or literary expressions.


According to paragraph 6:2 of the Data Protection Act, public authorities may be subject to administative fines. Administrative fines pursuant to article 83 may also be imposed for infringement of article 10 of GDPR.

Areas where Member States may have local laws:

Professional secrecy 

According to the Act, data subject's right to information and access to personal data does not apply to data subject to professional secrecy. Furthemore, a controller, who is not a public authority, may refuse to provide information/access in cases comparable to those referred to in the Freedom of Information and Official Secrets Act (SFS 2009:400).

The Act also clarifies that processing of sensitive personal data (in the field of medicine or health and social care) is permitted where it is necessary for certain specified purposes and provided that the processing is undertaken by or under responsibility of a professional subject to the obligation of professional secrecy.

Scientific, historical or statistical purposes 



Paragraph 3:2 provides that it is permitted to process sensitive personal data pursuant to Article 9(2)(b) of the GDPR in the field of employment. In such cases, data may only be disclosed to a third party where employment law imposes such obligation on the controller or the data subject has explicitly consented to the disclosure.

Personal data of deceased persons 


Children online

13 years.

Special rules for special categories of data

The Act clarifies that article 9 (a), (c), (d), (e) and (f) of GDPR are directly applicable and further provides that sensitive personal data may be processed in accordance with Chapter 3, Sections 2-7 §§ of the new Data Protection Act (clarifying criteria for processing of sensitive data under article 9 (b), (g), (h) and (j) of GDPR). 

Genetic, biometric or health data


Designation of a Data Protection Officer


National identification numbers/any other identifier of general application

The Act stipulates that information regarding personal identification numbers or classification numbers may only be processed without consent where clearly justified in light of (i) the purpose of the processing; (ii) the importance of positive identification; or (iii) some other worthy reason.


Any other areas under discussion
In contrast to article 2.2 (a)-(b) of GDPR, the proposal provides that GDPR and the new Data Protection Act shall be applicable to the processing of personal data in the course of an activity (i) which falls outside the scope of Union law or (ii) which falls within the scope of Chapter 2 of Title V of the TEU.