Privireal Home Page Privacy in Research, Ethics and Law
"examining the implementation of the Data Protection Directive 95/46/EC
in relation to medical research and the role of ethics committees"

Sweden - Data Protection

History of Data Protection in SWEDEN

Sweden was among the first countries in Europe to introduce data protection legislation, with the Data Act 1973. This act regulated the automated processing of files containing personal data.

The rapid advances of technology placed considerable strain on the aging Data Act by the time Directive 95/46/EC was introduced. The Swedish government recognised this, and acted promptly to implement the Directive into national legislation.

The Personal Data Act 1998 implemented 95/46/EC, although there was a 3 year transitional period during which both acts operated alongside each other. Indeed, in certain situations, the old Data Act still applies.

Summary of Data Protection in SWEDEN

Title of Data Protection Legislation Personal Data Act 1998
Name of supervisory authority Data Inspection Board
General Powers of supervisory authority The Board's website outlines some of the its key functions: "The Board works to prevent encroachment upon privacy through information and by issuing directives and codes of statutes. The Board also handles complaints and carries out inspections. By examining government bills the Data Inspection Board ensures that new laws and ordinances protect personal data in an adequate manner." The powers of the board in relation to supervision are contained in Section 43 of the Act: "The supervisory authority is entitled for its supervision to obtain on request
a) access to the personal data that is processed,
b) information about and documentation of the processing of personal data and security ofthis processing, and
c) access to those premises linked to the processing of personal data."
Who has standing to notify the supervisory authority of breaches? Anybody
What are the penalties for data controllers if they breach the law? The Personal Data Act 1998 section 45 enables the commission to levy a fine on any controller who breaches the law. In more serious cases, imprisonment is a possibility (section 49).
Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? Yes. Section 22 of the 1998 Act states that: "Information about personal identity numbers or classification numbers may, in the absence ofconsent, only be dealt with when it is clearly justified having regard to
a) the purpose of the processing,
b) the importance of a secure identification, or
c) some other noteworthy reason". In addition, section 50 adds that:
"The Government or the authority appointed by the Government may issue more detailedregulations concerning []
c) the cases in which use of personal identity number is permitted."
Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it.
Does the Data Protection Legislation cover the deceased? No, although information about a deceased person does fall under the Act if it also constitutes information about a living person.
Who is able to indirectly identify the data subject? Anybody.

Laws and Regulations

Institutions