Stage of legislative progress 
E.g. pre-consultation, in consultation

The Swedish Data Protection Act (2018:218) and the Swedish Data Protection Regulation (2018:219), containing supplementary provisions to the GDPR, entered into force on 25 May 2018.

Approach to implementation 
E.g. amendments to existing law, total repeal of old laws

The Personal Data Act (1998:204) was repealed and replaced by the Data Protection Act (2018:218).

Timescale for implementation 
E.g. pre-consultation, in consultation

The new Data Protection Act, as well as the Swedish Data Protection Regulation entered into force on 25 May 2018.


Areas where Member States must have local laws:

Personal data and freedom of expression 

Data Protection Act paragraph 1:7: the GDPR and the Data Protection Act shall not be applied to the extent that it would breach the laws on freedom of expression. The Data Protection Act provides that articles 5-30 and 35-50 of the GDPR shall not be applicable to the processing of personal data for journalistic purposes or for purposes of academic, artistic or literary expressions.

Penalties

According to paragraph 6:2 of the Data Protection Act, public authorities may be subject to administrative fines. Administrative fines pursuant to article 83 may also be imposed for infringement of article 10 of the GDPR. The regulation with supplementary provisions includes further provisions on the enforcement of administrative fines, paragraphs 9-11.


Areas where Member States may have local laws:

Professional secrecy 

According to the Data Protection Act, the data subject's right to information and access to personal data does not apply to personal data subject to professional secrecy. Furthermore, a controller, who is not a public authority, may refuse to provide information/access in cases comparable to those referred to in the Freedom of Information and Official Secrets Act (SFS 2009:400).

The Act also clarifies that processing of sensitive personal data (in the field of medicine or health and social care) is permitted where it is necessary for certain specified purposes and provided that the processing is undertaken by or under responsibility of a professional subject to the obligation of professional secrecy.

Scientific, historical or statistical purposes 

The Personal Data Act paragraph 3:7: Sensitive personal data can be processed according to the GDPR Art. 9(2)(j) if the processing is necessary for statistical purposes and the public interest, for the statistics project for which the processing takes place, clearly outweighs the risk for unfair infringement of the individuals' integrity that the processing may cause. 

Employment

Paragraph 3:2 provides that it is permitted to process sensitive personal data pursuant to Article 9(2)(b) of the GDPR in the field of employment. In such cases, data may only be disclosed to a third party where employment law imposes such obligation on the controller or the data subject has explicitly consented to the disclosure.

Personal data of deceased persons 

n/a

Children online

Personal Data Act paragraph 2:3: 13 years.

Special rules for special categories of data

The Act clarifies that article 9 (a), (c), (d), (e) and (f) of GDPR are directly applicable and further provides that sensitive personal data may be processed in accordance with Chapter 3, Sections 2-7 §§ of the new Data Protection Act (clarifying criteria for processing of sensitive data under article 9 (b), (g), (h) and (j) of GDPR).

Genetic, biometric or health data

Swedish Act on Patient Data (2008:355) provides further conditions for the processing of personal data in health care.

Designation of a Data Protection Officer

n/a

National identification numbers/any other identifier of general application

The Act stipulates that information regarding personal identification numbers or classification numbers may only be processed without consent where clearly justified in light of (i) the purpose of the processing; (ii) the importance of positive identification; or (iii) some other worthy reason. The Government may issue regulations on other justifications for the processing of personal identification numbers of classification numbers.


Other:

Any other areas under discussion
In contrast to article 2.2 (a)-(b) of the GDPR, the Data Protection Act provides that the GDPR and the Data Protection Act shall be applicable to the processing of personal data in the course of an activity (i) which falls outside the scope of Union law or (ii) which falls within the scope of Chapter 2 of Title V of the TEU.