Sweden: Data Protection & Cyber Security

Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR“) is a European Union law which entered into force in 2016 and, following a two year transition period, became directly applicable law in all member states of the European Union on 25 May 2018, without requiring implementation by the EU member states through national law.

Two principal laws supplementing the GDPR in Sweden are the Act containing supplementary provisions (Sw. Lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning) (the “Data Protection Act“) and the corresponding Ordinance (Sw. Förordning (2018:219) med kompletterande bestämmelser till EU:s dataskyddsförordning) (the “Data Protection Ordinance“). The Data Protection Act, which also entered into force on 25 May 2018, regulate areas in which the GDPR opens up for national legislation, such as processing of social security numbers, special rules for special categories of data and processing of personal data in relation to freedom of expression.

Alongside the Data Protection Act a fairly large number of adjustments to existing laws came into force on 25 May, or a later point during 2018, covering data processing in specific sectors such as healthcare and financial institutions. Furthermore, new statues on the processing of personal data in law enforcement (Sw. Brottsdatalag (2018:1177)) entered into force on 1 August 2018 as well as a new Camera Surveillance Act (Sw. Kamerabevakningslag 2018:1200), which regulates the use of equipment for audio-visual monitoring and surveillance.

General legislation that impacts data protection in Sweden is the ePrivacy Directive 2002/58/EC which is implemented into Swedish legislation through a number of laws, e.g. the Marketing Act (Sw. Marknadsföringslagen (2008:486)) and the Electronic Communications Act (Sw. Lag (2003:389) om elektronisk kommunikation) (the “Electronic Communications Act“) which covers all electronic communications networks and services. A new law is proposed to replace the current Electronic Communications Act during 2022. However, the rules implementing the ePrivacy Directive is proposed to be transferred to the new law replacing the current Electronic Communications Act.

The EU Commission has proposed a new regulation regarding electronic communications that is supposed to apply to any company processing personal data in the context of delivering electronic communications and files and to repeal the current Directive. The proposed ePrivacy Regulation (the “ePR“) would harmonise the applicable rules across the EU and align with the GDPR. In 2021, a new draft the ePR was presented and accepted by the Council of the European Union. However, the final version of the ePR has not yet been published and it is still unclear when the ePR will enter into force.

Other central laws which are closely related and sometimes supplement Swedish privacy laws are the Act on Information Security regarding providers of critical infrastructure and digital services (Sw. Lag (2018:1174) om informationssäkerhet för samhällsviktiga och digitala tjänster) (the ”NIS Act”) and the Ordinance Information Security regarding providers of critical infrastructure and digital services (Sw. Förordning (2018:1175) om informationssäkerhet för samhällsviktiga och digitala tjänster) (the ”NIS Ordinance”).

Additionally, the Swedish Authority for Privacy Protection has the right to issue its own statutes with general regulations and publishes general guidelines with recommendations on various issues. The Swedish Authority for Privacy Protection may also issue injunctions and fines.

There are no general registration or licensing requirements under the GDPR, nor the Data Protection Act.

However, GDPR prescribes that the controller must consult the Swedish Authority for Privacy Protection prior to a specific personal data processing that may lead to a high risk for the data subjects. Before the request of prior consultation, the controller must have made a thorough data protection impact assessment (“DPIA”). The DPIA is a process to determine risks with processing personal data and to draw up procedures and measures to meet these risks. If the controller still considers, after having performed the DPIA, that there is a high risk with the personal data processing, then the controller must consult the Swedish Authority for Privacy Protection before the controller begins the processing.

The Swedish Authority for Privacy Protection has, based on guidelines from the Article 29 Working Party, published a list of where an impact assessment is required. Examples of processing operations that require an impact assessment to be carried out are financial institutes which make automated decisions regarding of whether to grant a loan or not, and processing of children’s personal data in school activities.

Moreover, entities that process personal data are in some circumstances required to appoint a Data Protection Officer, the most relevant circumstances being large-scale and systematic monitoring of individuals and/or large-scale processing of sensitive personal data. Such appointment, including contact details of the Data Protection Officer, must be notified to the Swedish Authority for Privacy Protection.

Entities are also required to maintain records of all the processing activities which take place in the organisation. These records, which need to be in writing, as well as in electronic form, must contain information explaining, inter alia, the purpose of all processing operations, the categories of data subjects and personal data as well as a general description of the applied technical and organisational security measures. This obligation does not apply to organisations employing fewer than 250 persons, unless the processing is of a high-risk nature, including processing of special categories of personal data such as ethnic or health information, or data about criminal behaviour. The organisation needs to make the records available to the Swedish Authority for Privacy Protection upon request.

As regards camera surveillance, government agencies and certain other operators that conduct activities of public interest (such as e.g. schools, health care and public transport) needs a permit from the Swedish Authority for Privacy Protection before conducting camera surveillance.

The GDPR makes a distinction between regular “personal data” and “special categories of data”. Personally identifiable information (PII) is not a term used in the GDPR.

According to article 4 of the GDPR personal data is any information that refers to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Moreover, GDPR applies to fully or partly automated processing of personal data. It also applies in the case of manual processing of personal data if the personal data is part of or is intended to be part of a manual register that is searchable using special criteria.

The term “special categories of data” refers to a specific set of sensitive personal data which may reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, information about trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. Processing of special categories of data is prohibited, unless the processing is explicitly allowed for under article 9 of the GDPR.

Information about criminal convictions and offences is dealt with separately and is subject to more severe controls, please also see answers under question 9, 14 and 15. Authorities may process personal data relating to criminal convictions and offences. Others than authorities must have a lawful basis in regulations or special decisions to be able to process such personal data. The Swedish Authority for Privacy Protection will be able to decide that others than authorities may process personal data relating to criminal convictions and offences.

Other key definitions set forth of the GDPR are processing, controller and processor.

The term “processing” is defined in article 4(2) of the GDPR as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction“.

The term “controller” is defined in article 4(7) of the GDPR as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law“.

The term “processor” is defined in article 4(7) of the GDPR as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller“.

All processing of personal data must comply with the fundamental principles stated in article 5 of the GDPR. The principles mean among other things that data controller entities:

• must have a lawful basis under the GDPR to be able to process personal data
• may only collect personal data for specific, explicitly stated and legitimate purposes
• are not to process more personal data than is necessary for those purposes
• are to ensure that the personal data is accurate
• are to erase the personal data when it is no longer needed
• are to protect the personal data, for example so that unauthorised persons are not given access to it and so that it is not lost or destroyed
• are to be able to demonstrate how they live up to the GDPR

The processing of personal data must be fair, appropriate, reasonable and proportional in relation to purpose and the data subjects’ interest in protection of its privacy. Entities must also consider what kind of processing of personal data that the data subjects can reasonably expect.

All processing of personal data is to be lawful, which means first and foremost that entities must have lawful ground for all processing of personal data. Article 6 of the GDPR states six lawful grounds of which one must be met for every instance of processing of personal data:

• Consent
• Contract
• Legitimate interest
• Legal obligation
• Exercise of official authority or task in the public interest
• Fundamental interest

Without lawful grounds it is unlawful to process personal data.

The GDPR establishes several situations in which consent typically can be used as one possible lawful ground. This may be the case, for example, when seeking to process an individual’s sensitive personal data (such as information about health), to make automated decisions and profiling, to send e-marketing, or when seeking to share personal data with independent third parties for their own commercial purposes. Consent is also an explicit requirement according to the chapter 6 paragraph 18 of the Electronic Communications Act for websites using cookies.

However, in many cases it is not appropriate or even possible to base processing on the data subject’s consent. Consent will only be an appropriate processing condition if the individual has a genuine choice over the matter.

The consent of the data subject means according to article 4(11) of the GDPR “any freely given, specific, informed and unambiguous indication of his or her wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Furthermore, the following is stated in recital 43 of the GDPR:

“In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.”

This means that the assessment of whether consent has been freely given should be based not only on the prevailing freedom of choice, but also on the relationship that exists between the data subject and the controller. The scope for voluntary consent within the public sphere is therefore limited.

One of the main consent requirements is that the consent must be in clear and plain language, separate from other matters, and given after data subject has received comprehensive and clear information on what processing it consents to. Since consent must be based on affirmative action pre-ticked boxes are not acceptable. Furthermore, the data subject has the right, in accordance with article 7(3) of the GDPR to withdraw his or her consent at any time.

It is insufficient to rely only on a vague or general consent. Therefore, information regarding a consent shall be kept separate from other information. When consent is requested as a part of a contract, the request for consent should be clearly distinguishable from the other matters. Recital 32 of the GDPR states that the issue of consent should be separate and distinct when it concerns electronic means. The fact that someone agrees to a contract or accepts general terms and conditions does not mean that a processer obtained consent. This means that the question of consent cannot consists of just a paragraph within terms and conditions.

The consent may cover different operations as long as these operations serve the same purpose. If a processing has multiple purposes, it is possible to give consent for all of them. Each of the purposes must be specific and it must be possible to choose some purposes and opt out of others.

Processing of special categories of personal data (se question 3 above) is as a rule prohibited, unless one of the available lawful basis for the processing of special categories of personal data applies (article 9 of the GDPR). Processing of sensitive personal data is allowed if:

• the data subject has given explicit consent;
• the processing is necessary for exercising the subject’s rights in employment, social security and social protection law;
• the data is processed for the protection of vital interest of the data subject, when he or she is unable to give consent;
• the data is processed by a foundation, association or any other non-profit body, but only with their own members and for narrow purposes within the organisation;
• the sensitive personal data has evidently been made public by the data subject;
• it is required for legal action, claims or whenever courts are acting in their judicial capacity;
• if there are reasons of substantial public interest;
• it is required for the provision of health care and similar services, and the service provider has committed to a confidentiality undertaking;
• if there are public health reasons for the processing such as protecting against serious cross-border threats to health; or
• for scientific, archival, historic, research or statistic purposes

Personal data relating to criminal convictions and offences is also sensitive. Such personal data shall not be processed by any other than relevant authorities. The data subject’s consent is not a valid legal ground for processing. Only when permitted by EU law, or Swedish national law, the processing of such data is permitted by others than authorities. For example, the processing of such data is permitted if it is required to establish, uphold or defend a legal claim. Also, the Swedish Authority for Privacy Protection can decide that others than authorities may process personal data relating to criminal convictions and offences, by issuing general exceptions, or by issuing exceptions in individual cases.

The GDPR creates an additional layer of protection where personal data of vulnerable natural persons, especially children, are processed. Article 8 of the GDPR introduces additional obligations to ensure an enhanced level of data protection of children in relation to information society services. The reasons for the enhanced protection are specified in Recital 38: “[…] they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data […]”

According to article 8 of the GDPR, when processing personal data in relation to information society services offered directly to children under 16, consent shall be given or authorised by the holder of parental responsibility (unless the online service is a preventive or counselling service). Member States may set a lower age, however not below 13 years. In Sweden, the age at which a child can provide valid consent is reduced to 13 years old, which is defined in the Data Protection Act, chapter 2(4). If the child is under 13, the processing is lawful only if and to the extent the legal parent or guardian of the child has consented.

Extra care should be taken when processing personal data relating to children based on a legitimate interest, especially in relation to marketing activities. The controller needs to consider that children’s social security numbers require extra protection and ensure that the data subject’s rights are sufficiently protected.

The information given to data subjects shall be understandable to the audience addressed by the controller, paying particular attention to the position of children. To obtain “informed consent” from a child, the controller must explain in language that is clear and plain for children how it intends to process the data it collects. Recital 58 of the GDPR re-affirms this obligation, in stating that, where appropriate, a controller should make sure the information provided is understandable for children.

The Data Protection Act sets out, as described briefly under question 1, certain limitations on processing of personal data relating to criminal convictions and offences and the use of personal identity numbers.

According to chapter 3 section 8 and 9 of the Data Protection Act authorities may process personal data relating to criminal convictions and offences. Others than authorities must have a lawful basis in regulations or special decisions to be able to process personal data. The Swedish Authority for Privacy Protection will be able to decide that others than authorities may process personal data relating to criminal convictions and offences.

According to chapter 3 section 10 and 11 of the Data Protection Act personal identity numbers and coordination numbers may be processed if the data subjects have given their consent. Should no consent have been given, personal identity numbers may be processed only when it is clearly motivated taking into consideration:

• The purpose of the processing;
• The importance of an accurate identification; or
• Any other considerable reason.

According to chapter 5 section 1 of the Data Protection Act, in relation to certain types of personal data, a controller is exempt of its obligation to, e.g. provide data subjects with information and provide access to personal data. The exemption applies (i) if the controller is prohibited by law to disclose the personal data concerned, or (ii) if the controller is not an authority, but the personal data concerned would be considered confidential under the Public Access to Information and Secrecy Act (Sw: Offentlighets- och sekretesslag (2009:400)).

The principles of data protection by design and data protection by default (more commonly known as “privacy by default” and “privacy by design”) are set forth in article 25 of the GDPR.

Privacy by design is an approach that requires the controller to consider data protection issues from the design phase of any system, service, product or process and throughout its entire lifecycle.

Privacy by default means that the controller must ensure that personal data as standard is not processed unnecessarily and that the least privacy intrusive settings are chosen by default. It links to the fundamental principles of data and purpose limitation.

The principles of privacy by default and privacy by design constitutes, that the controller shall implement appropriate technical and organisational measures and integrate the necessary safeguards into the processing, in order to meet the requirements of the GDPR and protect the rights of the data subjects.

A technical or organisational measure can be anything from the use of advanced technical solutions to the basic training of personnel. Examples of safeguards are providing automatic and repeated information to data subjects about what data is being stored, having a retention reminder in a data repository or implementation of a malware detection system on a computer network or storage system.

Article 25 does not oblige controllers to implement any specific technical and organisational measures or safeguards, provided that the chosen measures and safeguards are in fact appropriate. Controllers must consider the current progress in technology and stay up to date with technological advances. Neglecting to keep up to date with technological changes could result in a violation of article 25. Furthermore, controllers must also be able to demonstrate that they have implemented sufficient measures and safeguards to achieve the desired effect in terms of data protection.

According to article 30(1) of the GDPR controllers are required to maintain records of all the processing activities which take place in the organisation. These records, which need to be in writing, as well as in electronic form, must contain information explaining, inter alia, the purposes of all processing operations, the categories of data subjects and of the categories of personal data as well as a general description of the applied technical and organisational security measures.

Processors are also, to a limited extent, obliged according to article 30(2) of the GDPR to maintain a record of all categories of processing activities carried out on behalf of a controller, containing, inter alia, name and contact details to the processor and each controller, categories of processing and a where possible, a general description of the applied technical and organisational security measures.

The above obligations do not apply to organisations employing fewer than 250 persons, unless the processing is of a high-risk nature, including processing of special categories of personal data such as ethnic or health information, or data about criminal behavior. The organisation need to make the records available to the supervisory authority upon request.

Furthermore, controllers are also required to be able to demonstrate compliance with the fundamental principles defined in article 5 of the GDPR. This accountability principle means that organisations must provide clear information to data subjects, establish a data protection policy and make an impact assessment before starting processing of personal data that involves high integrity risks.

The GDPR does not specify any retention periods for personal data. Article 5.1 (e) of the GDPR states that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (i.e. the principle of storage limitation).

This means that organisations processing personal data must limit the storage of personal data. Thus, the Swedish Authority for Privacy Protection asserts that organisations should have established procedures for erasure of personal data, for example regulars checks and manual/automatic erasure after a certain period of time.

As stated above, the general data retention requirement is that storage of personal data is only allowed for as long as it is necessary for the purposes for which the personal data is processed. Thereafter, the personal data shall be anonymized or deleted. However, even if the processing of personal data no longer is necessary, the data may be stored for longer periods, e.g., when it is required in national law. Personal data may also be stored for longer periods if the data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

In some cases, the retention period is specifically stipulated in an act governing the personal data processing, such as e.g. in the Swedish Whistleblowing Act, (Lag (2021:890) om skydd för personer som rapporterar om missförhållanden) that stipulates that personal data in a “whistleblowing-file” can be stored for a maximum of two years.

According to article 36 of the GDPR, a controller is required to consult the Swedish Authority for Privacy Protection prior to initiating processing, when a conducted data protection impact assessment (a “DPIA“), defined under article 35 (please see more detailed information under question 14), indicates that the processing would result in a high risk, despite the measures taken by the controller to mitigate risk.

Yes, a DPIA should according to article 35 of the GDPR be carried out where the intended processing, in particular the type of processing that uses new technology, is likely to result in high risks to data subjects. When carrying out a DPIA the controller shall seek the advice of the data protection officer.

Article 35(3) lists three examples of types of processing that automatically requires a DPIA, these are:

• A systematic and extensive evaluation of personal aspects which is based on automated processing, including profiling, and on which decisions are based that produce legal effects or significantly affect the person;
• Processing on a large scale of special categories or of personal data relating to criminal convictions and offences; and
• A systematic monitoring of a publicly accessible area on a large scale

Further, the Swedish Authority for Privacy Protection has published a list specifying when a DPIA is required. The list is not exhaustive and may be updated and supplemented with more examples. Generally, a DPIA should be performed if at least two of the criteria below are met regarding the intended processing operations:

• Evaluating or rating of data subjects, e.g. an organisation that offers genetic tests directly to consumers to assess and predict disease and health risks, a credit rating agency or a company that profiles internet users
• Processing of information to make automated decisions with legal or similar significant effects
• Systematically monitoring data subjects, e.g. through video surveillance of a publicly accessible area or by collecting data about internet usage in publicly accessible areas
• Processing of sensitive data according to article 9 or data of a highly personal nature, e.g. a hospital that stores patients’ medical records, a company that collects location data or a bank that handles financial information
• Processing of data on a large scale
• Combines data from two or more data processing operations in a way that would exceed the reasonable expectations of the data subject e.g. when two filing systems are run against each other
• Processing of data concerning data subjects who can be in a position of dependence or disadvantage and who are therefore vulnerable, e.g. children, employees, asylum seekers, elderly and patients
• Use of new technological or organisational solutions, e.g. Internet of Things applications (IoT)
• Processing of data for the purpose of preventing data subjects from using a service or entering a contract, e.g. when a bank screens its customers against a credit reference database to decide whether to offer them a loan

However, it is only required to conduct a DPIA if the processing is likely to result in a high risk for the data subjects’ rights and freedoms. Should the controller consider that the intended processing is of a low risk, despite that the processing operation compromises of two or more of the above criteria, the controller may choose to refrain from conducting a DPIA. In such case, the controller should motivate and document the reasons for refraining from conducting the DPIA.

If a DPIA is required, it must be carried out prior to the processing and at least contain the following information:

• A description of the envisaged processing operations, its purposes and the legitimate interest pursued by the controller;
• An assessment of the necessity and proportionality of the processing operations in relation to the purpose;
• An assessment of the risks to the rights and freedoms of data subjects; and
• The measures envisaged to address the risks.

The controller must be able to motivate and document its chosen activities. Depending on the scope of the DPIA there are different approaches to assessment and documentation. Further, it is important that the controller have appropriate policies in place within its organisation to ensure that a DPIA is considered in relation to any new processing activities and, where a DPIA is to be performed, how it will be carried out.

Article 37 of the GDPR stipulates that a data protection officer shall at least be designated by controllers and processors where:

• The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
• The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
• The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to article 9 of the GDPR and personal data relating to criminal convictions and offences referred to in article 10 of the GDPR.

For company groups, a single data protection officer can be designated provided that the data protection officer is easily accessible from each establishment in the group. The designated data protection officer shall be registered with the Swedish Authority for Privacy Protection.

Article 8 of the Data Protection Act places a legal obligation of confidentiality on the data protection officer, as it stipulates that the data protection officer may not – without permission – disclose information that he or she has obtained when performing his or her duties as data protection officer.

The data protection shall be involved in all issues which relate to the protection of personal data and at least perform the following tasks:

• to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to the GDPR and to other union or member state data protection provisions;
• to monitor compliance with the GDPR, with other union or member state data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
• to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to article 35 of the GDPR;
• to cooperate with the supervisory authority;
• to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in article 36 of the GDPR, and to consult, where appropriate, with regard to any other matter.

It should be noted that the data protection officer is not personally responsible for any non-compliance with the GDPR by the controller or processor.

There are no legal requirements or recommendations regarding employee training. However, employees handling personal data must have sufficient knowledge to be able to act in accordance with the national laws and regulations.

According to Article 24 of the GDPR, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. An example of an organizational measure is to educate employees and give them sufficient knowledge about data protection.

Besides the controller, the data protection officers tasks also include education of employees. Article 39 (1 a) of the GDPR states that the data protection officer must inform and advise employees who carry out processing of their obligations pursuant to the GDPR and to other Union or Member State data provisions. Furthermore, according to Article 39 (1 b), the data protection officer shall monitor compliance with the policies of the controller or processor including the awareness-raising and training of staff involved in processing operations.

According to articles 13 and 14 of the GDPR, controllers are required to provide notice to individuals of the controllers’ processing activities. The notice requirement varies slightly depending on whether the personal data has been collected from the individual or if has been obtained elsewhere. Generally the notice shall contain information on the identity and contact details of the controller, the categories of personal data that the controller is processing, the purposes of the processing, whether the personal data will be shared by others and/or transferred to a county outside the EU/EEA and the period during which the controller will process the personal data. Further, the individual shall be informed of its rights under the GDPR and of the right to lodge a complaint with respect to the processing with the supervisory authority.

The GDPR does not require that the notice is given in a certain format, however the notice shall be easily accessible (i.e. the individual shall not have to seek out the information but shall be readily provided with the information). Further, the notice shall be given in clear and plain language, especially where children is the intended recipients of the notice. The information shall be clearly differentiated from other information which is not related to data processing. Many controllers elect to publish these notices on their websites or intranets, and often highlight the existence of the notice by including links to the notice in email signatures and other correspondence.

Chapter 6 paragraph 18 of the Electronic Communications Act stipulates that all visitors to a website where the website holder has placed cookies should be notified that the website is using cookies and the purposes of such cookies. For more information on the information requirements with respect to cookies, please see question 20 below.

According to the Camera Surveillance Act controllers are required to provide detailed information to data subjects if any video surveillance is in operation. The European Data Protection Board (EDPB), has published guidance on the processing of personal data through video surveillance systems (Guidelines 3/2019 on processing of personal data through video devices) where, inter alia, the transparency and information obligation is described in detail.

The GDPR draws distinction between the controller and processor insofar that the controller remains responsible for being able to demonstrate that processing undertaken on the controller’s behalf complies with the requirements with the GDPR even if a processor has been engaged. The controller shall, according to article 28(1) of the GDPR only use processors that can provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR and ensure the protection of the rights of data subjects.

Notwithstanding the foregoing, the GDPR imposes obligations directly on the processor, such as an obligation to observe the general principles for data processing, to keep records of data processing activities, to implement appropriate technical and organisational measures to ensure an adequate level of data security, etc. Furthermore, processors shall not engage another sub processor without prior specific or general written authorization of the controller.

It is not uncommon that legal obligations placed on the controller are passed on to the processor in the parties’ data processing agreement.

The Data Protection Act applies to both controllers and processors.

Article 28 of the GDPR stipulates that a controller who appoints a processor to process personal data on behalf of the controller must enter into a contract or other legal act under union or member state law with such processor. This is typically done by way of a so-called data processing agreement (“DPA”). The contract between the controller and processor shall, as a minimum, contain information on the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. Further, the contract shall stipulate, inter alia, how the processor may use the personal data, what security measures the processor undertakes to have in place and whether the processor shall delete or return the personal data upon expiry of the contract between the controller and processor.

As mentioned under question 18, the controller may only use processors who provide sufficient guarantees that processing will meet the relevant data protection requirements and protect data subjects’ rights, such as to provide sufficient guarantees that appropriate technical and organisational measures will be in place. Thus, although the GDPR does not stipulate a certain due diligence process for appointing processors, it is necessary that the controller verifies that the processor can provide said guarantees before such processor is appointed.

The term monitoring is not used nor defined in the GDPR but may involve the processing of personal data and in such case the processing must comply with applicable legislation.

Profiling is defined in article 4(4) of the GDPR as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements“. Thus, profiling must involve some form of automated processing, personal data and evaluation of personal aspects. Profiling means any form of automated processing of personal data where the data is used to assess certain personal qualities, in particular to analyse or predict the person’s work performance, financial situation, health, personal preferences, interests, dependability, behavior, place of residence or relocations. Profiling is according to recital 72 of the GDPR subject to the rules governing the processing of personal data, such as the legal grounds for processing or data protection principles.

Closely connected to profiling is automated individual decision-making, which may partially overlap with or result from profiling. The data subject shall according to article 22 of the GDPR have the right to not be subject of a decision that is only based on some form of automated decision-making, including profiling, if the decision has legal consequences for the individual or in a similar way affects him or her to a considerable degree. Automated decision-making may for example consist of automated refusal of a credit application online or a rejection from an online e-recruitment without any personal contact. Automated decision-making may be permitted if it is necessary for the entering into or performance of a contract between the data subject and the controller or if the individual has given his or her explicit consent. It may also be permitted under special legislation.

According to chapter 6 paragraph 18 of the Electronic Communications Act all visitors to a website should be informed if the website contains cookies and why they are used. Visitors should also agree to the website’s use of cookies.  This does however not prevent such storage or access that is necessary to transmit an electronic message via an electronic communications network or provide a service explicitly requested by the visitor. Furthermore, the Swedish Post and Telecom Authority (the “PTS“) recommends that the website informs what the different cookies are called, to which domain they belong to, what kind of data is stored in the cookies and how long cookies are saved in the visitor’s web browser. It should also be clearly stated that the information comes from or will be submitted to a third party.

Further, the Court of Justice of the European Union (the “CJEU”) delivered its judgement in the Planet49 case with regards to cookies and consent under the GDPR. The decision of the CJEU provided further confirmation that the consent requirement in relation to cookies is now the higher standard of consent, as defined in GDPR. Pre-checked boxes and statements on privacy policies which relate to user’s “passive consent” given through continued use of a website are now highly unlikely to constitute valid consent.

The term “cross-contextual behavioral advertising” does not exist as a term in Sweden. Although, advertising to a consumer based on information that has been obtained from applications other than the one with which the consumer intentionally interacted with is regulated in Sweden.

The current ePrivacy Directive include rules regarding third-party cookies. Third-party cookies are created and placed by websites other than the website that a consumer is visiting. According to the directive, the use of such cookies requires consent from the consumer. If cookies are used to identify users, they also qualify as personal data and are therefore subject to the GDPR. The requirements set out in the GDPR regarding consent or legitimate interest must be taken into consideration (please see the answer to question 4).

Sale of “personal data” is one way of processing personal data according to the GDPR. There are no certain restrictions imposed regarding the sale of personal data besides from the restrictions that always applies. When processing personal data by selling it to an independent third party, at least one legal basis set out in Article 6 of the GDPR must be met for every instance of processing (see question 4). In relation to the sale of personal data consent may be used as a legal ground. The data subjects must also be aware of and informed about the purposes for which the personal data was collected, e.g., with the purpose of selling the data.

The Electronic Communications Act implements Directive 2002/58/EC on privacy and electronic communications. Providers of electronic communications’ services (e.g. e-mail services) must implement appropriate organisational and technical measures in order to secure protection for data processed in the service. Integrity incidents must be notified to PTS and in some cases to the customers and users of the service. This notification requirement is in addition to any notification requirements under GDPR.

The Electronic Communications Act also imposes limitations on the duration and purposes of the processing traffic data (i.e. data processed in order to transmit an electronic message or to charge the customer for such service). Traffic data regarding users who are natural persons shall be erased or anonymised when the data is no longer needed to transmit the electronic message. However, there are some derogations from this aforementioned requirement.

One derogation is that traffic data may be used for the purpose of marketing electronic communication services or to provide other services that requires such data. Such processing will however require the prior consent of the party who the traffic data concerns. The consent of a data subject shall be a valid consent in accordance with GDPR’s requirements.

The Marketing Act governs, inter alia, unsolicited marketing. Marketing by automatic means, e.g. through e-mail, to a natural person requires prior consent from the person concerned. However, if the person’s e-mail address was obtained in connection with sales of products or services to that person a consent is not required if the following three requirements are all meet; i) the person must not have objected against obtaining e-mail marketing; ii) the marketing may only relate to the sellers own, similar products or services (as the person has shown interest for); and iii)the person must clearly and explicitly have been able to object to the use of e-mail for marketing purposes when the data was collected and in conjunction with each subsequent marketing communication (i.e. a possibility to easily and free of charge opt out).

Under article 9(1) of the GDPR, the processing of biometric personal data in order to identify a natural person constitutes the processing of special categories of personal data. The general rule is that it is prohibited to process such data. In order to process special categories of personal data, a derogation from the prohibition under article 9(2) of the GDPR is required.

There are several derogations from the general rule. Sweden, and other EU member states may also set up further, national, conditions and limitations for the processing of biometric data (article 9(2) GDPR).

Under article 9(2)(a) of the GDPR, the processing of special categories of personal data may be permissible if the data subject has given its explicit consent to the processing concerned. However, EU law, Swedish law, or otherwise applicable national law of an EU member state, may prohibit the processing even with the data subjects’ consent. It should be noted that the first fine issued by the Swedish Authority for Privacy Protection for breach of GDPR concerned a school using a facial recognition technique to register the students’ attendance in class (decision DI-2019-2221, date 20 Aug 2019). Both the students and their parents (guardians) had provided their consent to the processing. However, the Swedish Authority for Privacy Protection stated in their decision that the consent was not valid due to an imbalance between the data subjects and the controller. The students were found in a position of dependence with respect to the school both as regards grades, student grants and loans and education and therefore also as regards the scope to obtain employment in the future or to continue further education. In the Swedish Authority for Privacy Protection decision dated 10 February 2021 (DI-2020-2719), the Authority found that the Swedish Police Authority has processed personal data in breach of the Swedish Criminal Data Act when using Clearview AI (an application used for facial recognition) to identify individuals.

Processing of biometric personal data in order to identify a natural person may also be permitted in order to protect a persons’ vital interests or if it is necessary for the purpose of a substantial public interest.

In any event it is important that the processing of biometric personal data fulfils the basic principles of GDPR, especially as regards data minimisation. Thus, the processing must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” (article 5(1)(c) of the GDPR). According to recital 39 of the GDPR personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. If the purpose of the processing of biometrics (e.g. through facial recognition) can be fulfilled by other means, without a need to process such sensitive data such option must be chosen instead.

Before initiating a processing activity including biometrics, the controller should carry out a DPIA to control if it is lawful to conduct the intended processing and, if necessary, initiate a prior consultation with the Data Protection Authority. The Camera Surveillance Act will in some cases require such a prior authorisation before a camera is installed.

The transfer of personal data outside the EU and European Economic Area (EEA) is restricted by chapter 5 of the GDPR. It is permitted to transfer personal data to countries outside the EU/EEA under certain conditions:

• The European Commission has decided that, for example, a certain country outside the EU/EEA ensures an adequate level of protection;
• Appropriate protection measures have been taken, for example Binding Corporate Rules (BCR), or Standard Contractual Clauses (SCC); or
• Special situations and single cases, for example if the data subjects have given their explicit and informed consent or if it is necessary in order to establish, exercise or defend legal claims.

The European Commission can decide that a country has a sufficiently high level of protection and controllers may then transfer personal data without any special license. It can also apply to a certain territory, an international organization or one of several sectors in a third country.

BCR are rules that a group with companies in several different countries can draw up to define its processing of personal data. BCR must be approved by the Swedish Authority for Privacy Protection or another supervisory authority within the European Union.

The European Commission has approved certain standard contractual clauses that concern data protection. If you enter into a contract that contain these standard contractual clauses with someone outside the EU/EEA, it is permitted to transfer data to them.

On 16 July 2020, the European Court of Justice (the “CJEU“) issued its ruling in Case C-311/18 (the “Schrems II” case), which concerned Facebook’s transfer of personal data from servers in Ireland to servers in the USA.

The CJEU concluded that personal data can no longer be legally transferred to the USA (or processed with access from the USA) on the basis that the recipient has self-certified according to the Privacy Shield framework. Privacy Shield was invalided for two main reasons. First, the court found that US surveillance programs are not limited to what is strictly necessary and proportional as required by EU law. Second, the CJEU determined that, with regard to US surveillance, EU data subjects lack actionable judicial redress and, therefore, do not have a right to an effective remedy in the US.

The CJEU reaffirmed the validity of SCCs but stated that companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection, under EU law, for personal data transferred under SCCs and, where it does not, that companies must provide additional safeguards or suspend transfers. The CJEU itself assessed the sufficiency of protections with regard to US government access to data and found them lacking.

In light of the Schrems II decision, the European Data Protection Board (“EDPB“) issued recommendations on supplementary transfer tools to ensure compliance with the EU level of protection of personal data (Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. Adopted – version for public consultations. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. Adopted – version for public consultations).

According to article 32 of the GDPR, both the controller and the processor shall implement appropriate technical and organisational measures taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. It has to be decided on a case by case basis what security measure that are appropriate but the GDPR gives examples on measures that should be considered; (i) pseudonymisation and encryption of personal data, (ii) ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, (iii) ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and (iv) process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

One way of ensuring appropriate security on the processing of personal data is to adhere to a code of conduct approved by the Data Protection Authority or become certified. Code of conducts and certification mechanisms are yet few and still under development. For the avoidance of doubt, adherence to a code of conduct or a certification does not in itself mean that a controller or processor fulfils the security requirements set forth in the GDPR.

There are also other, more specific legislation addressing security obligations for the processing of data. The Protective Security Act (Sw. Säkerhetsskyddslag (2018:585)) and the Protective Security Ordinance (Sw. Säkerhetsskyddsförordning (2018:658)) applies to anyone conducting activities of importance for Sweden’s security, or encompasses activities covered by an international protective security commitment that is binding on Sweden. Anyone carrying out such activities must, inter alia, conduct a security analysis and plan and implement appropriate security measures. That includes, but is not limited to, security measures in relation to personal data in order to prevent disclosure, loss or erasure of data. Any systems used must be assessed to ensure that appropriate security of such systems. There are also requirements on perimeter security.

The NIS Act and the NIS Ordinance are secondary to any other national legislation and impose the same or stronger security requirements. The purpose of the NIS Act is to ensure a high level of security in networks and systems of providers of (i) essential services within the following sectors: energy, transportation, banks, financial markets infrastructure, healthcare, distribution of drinking water, digital infrastructure; and (ii) digital services. (Please note that the applicability of NIS will be widened, according a proposal for a revised NIS Directive presented by the EU Commission on 16 December 2020.)

Providers of essential services must carry out a systematic and risk-based information security work with regards to the networks and systems they are using in order to provide the essential services. There are less requirements on providers of digital services, however they must implement the technical and organisational measures it deems appropriate and proportionate to the risk when providing digital services within EU. The provider shall also prevent and mitigate the effects of incidents that affect the network and systems.

The NIS Ordinance provides further requirements on the security measures that providers of essential and digital services must implement. The providers shall, when designing the security measures, take European and internationally accepted standards and specifications into account.

The Swedish Civil Contingencies Agency (MSB) and sector specific supervisory authorities have the possibility to issue further regulations and guidelines on security. MSB has issued regulation MSBFS 2018:8 (which also includes general guidelines) regarding information security for providers of essential services. According to regulation MSBFS 2018:8, the provider of essential services shall conduct a systematic and risk-based work in security matters in accordance with the ISO 27 000 standard on information security management or an equivalent standard. However, it is not a requirement to actually be certified.

According to the Electronic Communications Act, provider of generally available electronic communications services or networks must implement security measures. The PTS has also issued regulations on the security of generally available electronic communication services and networks.

The term “security breach” is not used in the GDPR. Under GDPR, a “personal data breach” is defined in article 4 as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

Businesses should have routines and policies in place to detect, investigate and potentially report personal data breaches to the relevant supervisory authority and notify affected individuals.

The Electronic Communications Act use the term “integrity breach” (Sw. integritetsincident) which is defined as “an event that results in accidental or unauthorised deletion, loss or alteration, or unauthorised disclosure or unauthorised access to data processed in connection with the provision of generally available electronic communications services“.

The NIS Act defines in paragraph 2 the meaning of the word “breach” (Sw. incident) as “an event with an actual negative impact on the security of networks and information systems“.

Yes, e.g. for industries that are falling under (i) the Protective Security Act, and (ii) the NIS Act as provider of essential services certain security requirements are imposed, please see question 26 regarding security obligations for processing personal data. Industries such as telecom, healthcare and financial sector are heavily regulated by sector specific security requirements.

Regarding artificial intelligence, a proposal has been presented within the EU for a regulation laying down harmonised rules on artificial intelligence. The proposal takes a proportionate risk-based approach where the security requirements depend on the type of AI system. Certain “high-risk” AI systems that pose significant risks to the health and safety or fundamental rights of persons will have to comply with horizontal mandatory requirements for trustworthy AI and follow conformity assessment procedures before the systems can be placed on the Union market. For some AI systems only minimum transparency obligations are proposed. Note that the regulation still is a draft and is not yet in force.

In the event of a personal data breach, the controller must notify the competent supervisory authority without undue delay and where feasible within 72 hours of becoming aware of the breach. The competent supervisory authority for processing conducted in Sweden and relating to Swedish data subjects will most likely be the Swedish Authority for Privacy Protection. If it is unlikely that the personal data breach will result in a risk to the rights and freedoms of a natural person, notification is not required. Delay in reporting a personal data breach shall be accompanied with the reasons for the delay.

The controller must also, without undue delay, notify the data subject of the personal data breach if it is likely to result in a high risk to the rights and freedoms of natural persons.

Note that breaches may have to be notified to customers, data subjects or supervisory authorities under other legislations such as the Electronic Communications Act, the NIS Act and the NIS Ordinance. Operators of essential services/digital service providers must, within 6 hours from identification of an incident, notify to MSB and within 24 hours provide MSB with information about measures taken to minimise the consequences of the incident.

There is no specific legislation in Sweden regarding cybercrime, nor any specific guidance regarding payment of ransoms in ransomeware attacks. Provisions in information security are found in different regulatory acts described under question 26 regarding security obligations for processing personal data. Regarding criminal liability for unlawful access to information the key legislation is the Swedish Criminal Code (Sw. Brottsbalken (1962:700)) (the “Swedish Criminal Code“). Chapter 4, Section 9 c, states that any person who unlawfully obtains access to information intended for automatic processing or unlawfully alters, erases, blocks or in a register inserts such information shall be sentenced for breach of data secrecy. The same applies to someone who seriously disturbs or impedes the use of such information in an unlawful way through some other similar measure.

No, the responsibility is divided between several national, sector-specific authorities such as the Swedish Authority for Privacy Protection, PTS, MSB and Sweden’s financial supervisory authority (FI) etc. MSB is also responsible for helping the Swedish society to prepare for major accidents, crises and consequences of war and is therefore highly involved in cybersecurity matters. On EU level, Enisa (EU’s agency for cybersecurity) is worth being aware of. Enisa provides recommendations on cybersecurity, supports development and implementation of policies and collaborates with operational teams throughout Europe.

Data subjects are granted the following rights under the GDPR;

• The right to be informed,
• The right of access,
• The right to rectification,
• The right to erasure,
• The right to restricted processing,
• The right to data portability,
• The right to object, and
• The rights in relation to automated decision making and profiling.

Data subjects may exercise the rights under the GDPR by contacting the controller or the processor (the latter shall, if contacted, forward the request to the controller for processing). The controller is obligated to respond to requests without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.

The right to be informed

Data subjects has the right to receive certain information when his or her personal data is processed, e.g. the name and contact details to the controller, the purpose of the processing, the retention time and the legal basis for the processing. If the personal data is obtained from the data subject, information shall be provided in connection with the collection of the personal data. The information shall be provided free of charge in easily accessible, written form and shall be worded in clear, simple language.

There are certain exemptions to the right to be informed where the information has not been obtained from the data subject, e.g. if providing the information would be impossible or involve a disproportionate effort.

The right to receive certain information can be found also in other national privacy laws, such as the Electronic Communications Act and the Camera Surveillance Act.

The right of access

The right of access gives the data subject a right to obtain a copy of their personal data as well as other supplementary information. The extract shall include information of e.g. the categories of personal data undergoing processing, the purposes of the processing and the time during which the personal data will be stored.

The right to access includes all personal data processed by the controller, including personal data in unstructured form, e.g. in completed documents, audio and video recordings as well as in e-mails. Certain personal data shall however be exempted from the extract, such as information that might affect the rights and freedoms of others (e.g. trade secrets or intellectual property rights) and information related others than the data subject requesting the extract.

The right to receive an extract shall be provided free of charge. However, would the data subject request multiple copies or if a request would be manifestly unfounded, excessive, or otherwise unreasonable, the controller may be entitled to charge a reasonable fee based on administrative costs.

The right to rectification

The data subject has the right to request that the controller rectify inaccurate personal data concerning him or her. The data subject also has the right to have incomplete (missing) personal data supplemented, taking into account the purposes of the processing.

If personal data is rectified at a data subject’s request, the controller must inform any recipients to whom the data has been disclosed about the rectification. However, this does not apply if it proves impossible or excessively burdensome.

The right to erasure (to be forgotten)

The right to erasure, also known as “the right to be forgotten”, gives the data subject a right to, under certain circumstances, have his or her personal data deleted. This applies for example if the personal data is no longer necessary in relation to the purpose for which is was collected or if the data subject withdraws his or her consent and no other legal basis applies.

There are a number of exceptions to this right and situations where a request for erasure may be refused, e.g., where the processing is necessary for reasons of freedom of expression and freedom of information or to comply with a legal obligation under law or to establish, exercise or defend legal claims.

In March 2020, the Swedish Authority for Privacy Protection imposed a fine of 75 million Swedish kronor (approximately 7 million euro) on Google for failure to comply with the data subject’s right to be forgotten.

The right to restrict processing

The data subject has the right to request that the controller restricts the processing of his or her personal data under certain circumstances. This right applies, for example, when the data subject contests the accuracy of the data, during a period when the controller has the possibility to verify such accuracy. When the processing has been restricted, the personal data may only be processed for certain limited purposes.

The right to data portability

The right to data portability allows the data subject to receive personal data concerning him or her and to transmit such data to another controller under certain circumstances.

This right only applies to personal data that the data subject has personally provided to the controller or where the personal data has been generated by the data subject’s use of a certain services. Further, it only applies when the processing of personal data is based on consent or an agreement with the data subject. This could be for instance if a former employee requests to have certain data transferred from a former employer to a new employer.

The right to object

The right to object gives the data subject a right to object to the processing of personal data concerning him or her under certain circumstances. The controller shall no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the data subject or if the processing is necessary for the establishment, exercise or defense of legal claims.

When personal data is used for direct marketing, the data subject shall have the right to object at any time to such marketing, including profiling.

Rights in relation to automated decision making and profiling

The data subject has the right to not be subject of a decision that is only based on some form of automated decision-making, including profiling, if the decision can have legal consequences for the individual or in a similar way affect him or her to a considerable degree. Automated decision-making may for example consist of automated refusal of a credit application on the Internet or a rejection from e-recruitment via the Internet without any personal contact. Automated decision-making may however be permitted if it is necessary for entering into or performance of a contract or if the individual has given his or her explicit consent.

The rights of data subjects are exercisable both through the judicial system and are enforced by regulators.

In the event a data subject would be of the opinion that his or her rights have been violated or that personal data has been processed in breach with the data protection legislation, the data subject may, at any time, file a complaint to the Data Protection Authority (article 77 of the GDPR). The Data Protection Authority reviews all complaints and assesses whether to proceed with the matter or not.

Data subjects may also bring private claims for damage against controllers and processors in general court.

Finally, the Data Protection Authority may also initiate supervisory matters on its own initiative, without receiving any complaints from data subjects, based on information from the media or as a part of their yearly supervision etc.

Please see answer under question 33.

According to article 82(1) of the GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive full and effective compensation from the controller or the processor for the damage suffered. This means that data subjects are entitled to claim compensation for non-financial damage such as injury of feelings although no financial loss can be proven.

Any controller or processor which has paid full compensation may subsequently institute recourse proceedings against other controllers or processors involved in the same processing.

In order to ensure consistent monitoring and enforcement of the GDPR throughout the EU, the supervisory authorities in each member state has been given the same task and effective powers, including powers of investigation, corrective powers and sanctions and authorization and advisory powers (recital 129 of the GDPR).

Thus, the Swedish Authority for Privacy Protection has, according to article 58 of the GDPR the following investigative powers:

• to order the controller and the processor, and, where applicable, the controller’s or the processor’s representative, to provide any information it requires for the performance of its tasks;
• to carry out investigations in the form of data protection audits;
• to carry out a review on certifications issued pursuant to article 42(7);
• to notify the controller or the processor of an alleged infringement of this Regulation;
• to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.

The Swedish Authority for Privacy Protection has corrective powers such as the ability to issue warnings, reprimands, orders, and bans on personal data processing to force compliance as well the right to impose administrative fines. Additionally, the Swedish Authority for Privacy Protection may advise controllers in accordance with prior consultation procedures regarding DPIA’s, issue opinions to the national parliament, government or other institutions and approve draft codes of conduct.

Infringements may be subject to administrative fines up to EUR 20.000.000, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher

For less serious violations, the Swedish Authority for Privacy Protection can impose administrative fines up to EUR 10.000.000 , or in the case of an undertaking, up to 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Administrative fines up to SEK 10 million for serious infringements and SEK 5 million for less serious infringements can also, according to chapter 6 section 2 of the Swedish Data Protection Act, be imposed on public authorities.

According to article 83 of the GDPR, the supervisory authorities are not obliged to impose administrative fines. Other corrective powers can be imposed in addition to, or instead of, the administrative fines. When deciding whether to impose an administrative fine and deciding on the amount due regard shall be given in each individual case to, inter alia, the nature, gravity and duration of the infringement, the intentional or negligent character of the infringement and any actions taken to mitigate the damage suffered by the data subjects.

The Swedish Authority for Privacy Protection can impose administrative fines if a company contravenes the GDPR. Administrative fines can be imposed either in addition to, or instead of, measures referred to in Article 58.2 a-h and j of the GDPR. According to Article 83.1 of the GDPR, administrative fines shall in every individual case be effective, proportionate, and dissuasive. Furthermore, Article 83.2 provides a list of criteria that supervisory authorities should take in consideration in the assessment of whether or not a fine should be imposed and when deciding the amount of a fine.

Article 83.3-6 of the GDPR, contains thresholds regarding the amount of an administrative fine. The amount of an administrative fine depends on which provision the infringement concerns and the circumstances in the individual case. E.g., some infringements can be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. A fine can at most amount up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, depending on which amount is the higher.

Guidelines regarding the calculation of fines have been published by the “Article 29 Working Party” and the guidelines are applicable in the EU. The Article 29 Working Party guidelines concerns especially the criteria in Article 83.2 of the GDPR. In the guidelines there are some principles set out that the supervisory authority must observe when using its powers set out in Article 58 of the GDPR (about Article 58, see the answer to question 36 above). The principles stated in relation to Article 58 are the following:

• Infringement of the Regulation should lead to the imposition of “equivalent sanctions”.
• Like all corrective measures chosen by the supervisory authorities, administrative fines should be “effective, proportionate and dissuasive”.
• The competent supervisory authority will make an assessment “in each individual case”.
• A harmonized approach to administrative fines in the field of data protection requires active participation and information exchange among Supervisory Authorities.

Regarding the assessment that must be made in accordance with Article 83.2 of the GDPR, the guideline provides information to help the authorities how to interpret the individual facts of a case in relation to the criteria in Article 83.2 of the GDPR.

The Swedish Authority for Privacy Protection has also published guidelines in relation to Article 83 of the GDPR. The guidelines include a description of the relevant rules in the GDPR and the criteria stated in Article 83.2.

Any data subject and controller subject to the supervision of the Swedish Authority for Privacy Protection has according to article 78(1) of the GPDR the right to appeal to the courts against decisions. Supplementary provisions regarding appealing procedures are given in chapter 4 sections 3-5 of the Swedish Data Protection Act and in paragraph 22 of the Swedish Administrative Procedure Act (sw. Förvaltningslagen 1986:223)).

In December 2020 a proposal to replace the Network and Information Security (NIS) Directive was presented by the European Commission. The NIS2 proposal increases the number of entities covered which means that more sectors must take technical and organisational measures to manage risks posed to the security of network and information systems.

As mentioned under question 1, a proposal for a new ePrivacy Ordinance (ePR) has been accepted by the Council of the European Union. It is still unclear when it will be completed and enter into force, but it is not likely that it will happen before 2023.

Other proposed legislations within the EU are:

• The Data Governance Act, which aims to create a framework for sharing data.
• The AI Act, with a major impact on machine learning and automated decision making.
• The Data Act, which aims, among other things, to create an internal “data market” within the EU and increase access to it