The Swedish Data Protection Act (2018:218) and the Swedish Data Protection Regulation (2018:219), containing supplementary provisions to the GDPR, entered into force on 25 May 2018.
The Personal Data Act (1998:204) was repealed and replaced by the Data Protection Act (2018:218).
The new Data Protection Act, as well as the Swedish Data Protection Regulation entered into force on 25 May 2018.
Areas where Member States must have local laws:
Data Protection Act paragraph 1:7: the GDPR and the Data Protection Act shall not be applied to the extent that it would breach the laws on freedom of expression. The Data Protection Act provides that articles 5-30 and 35-50 of the GDPR shall not be applicable to the processing of personal data for journalistic purposes or for purposes of academic, artistic or literary expressions.
According to paragraph 6:2 of the Data Protection Act, public authorities may be subject to administrative fines. Administrative fines pursuant to article 83 may also be imposed for infringement of article 10 of the GDPR. The regulation with supplementary provisions includes further provisions on the enforcement of administrative fines, paragraphs 9-11.
Areas where Member States may have local laws:
According to the Data Protection Act, the data subject's right to information and access to personal data does not apply to personal data subject to professional secrecy. Furthermore, a controller, who is not a public authority, may refuse to provide information/access in cases comparable to those referred to in the Freedom of Information and Official Secrets Act (SFS 2009:400).
The Act also clarifies that processing of sensitive personal data (in the field of medicine or health and social care) is permitted where it is necessary for certain specified purposes and provided that the processing is undertaken by or under responsibility of a professional subject to the obligation of professional secrecy.
The Personal Data Act paragraph 3:7: Sensitive personal data can be processed according to the GDPR Art. 9(2)(j) if the processing is necessary for statistical purposes and the public interest, for the statistics project for which the processing takes place, clearly outweighs the risk for unfair infringement of the individuals' integrity that the processing may cause.
Paragraph 3:2 provides that it is permitted to process sensitive personal data pursuant to Article 9(2)(b) of the GDPR in the field of employment. In such cases, data may only be disclosed to a third party where employment law imposes such obligation on the controller or the data subject has explicitly consented to the disclosure.
Personal Data Act paragraph 2:3: 13 years.
The Act clarifies that article 9 (a), (c), (d), (e) and (f) of GDPR are directly applicable and further provides that sensitive personal data may be processed in accordance with Chapter 3, Sections 2-7 §§ of the new Data Protection Act (clarifying criteria for processing of sensitive data under article 9 (b), (g), (h) and (j) of GDPR).
Swedish Act on Patient Data (2008:355) provides further conditions for the processing of personal data in health care.
The Act stipulates that information regarding personal identification numbers or classification numbers may only be processed without consent where clearly justified in light of (i) the purpose of the processing; (ii) the importance of positive identification; or (iii) some other worthy reason. The Government may issue regulations on other justifications for the processing of personal identification numbers of classification numbers.