Skip to content
All about health & wellness.

Implementation Guide for GDPR in Sweden

Sweden: Legislation Overview Q1/ Applicable Laws Q2/ Data of Deceased Individuals Q3/ Grounds for Data Processing Q4/ Consent of Minors Q5/ Handling of Sensitive Data

 and  Administrator
3 min read
Guidance on the Nation's Adaptation of GDPR: Sweden
Guidance on the Nation's Adaptation of GDPR: Sweden

Implementation Guide for GDPR in Sweden

In Sweden, the General Data Protection Regulation (GDPR) primarily focuses on the protection of living individuals' personal data. Data relating to deceased persons fall outside its scope [1].

The GDPR, as applicable in Sweden, only protects the personal data of living individuals. As such, data concerning deceased persons do not fall under its jurisdiction [1]. However, ethical review obligations in Sweden can apply to research involving deceased persons if the research involves sensitive procedures or data [5]. For instance, studies involving procedures on deceased persons require ethical review under the Swedish Ethical Review Act.

Sensitive personal data categories under GDPR, such as health data and genetic data, are carefully managed when relating to living persons, but such protections do not apply posthumously [5]. At present, there is no clear mention in Swedish law of a specific national law that governs the processing of deceased persons' data beyond the ethical review process.

Regarding the Data Protection Authority (DPA) in Sweden, known as Datainspektionen, the law does not grant additional powers to the DPA. The DPA has only issued warnings, reprimands, and orders for breaches of the GDPR [2]. There are no specific national rules on the DPA's power to obtain information from controllers or processors that are subject to obligations of professional secrecy.

The DPA's decisions regarding breaches of the GDPR or sanctions under the Data Protection Act may be appealed to the administrative court. The DPA has issued a number of practical guides on GDPR compliance on its website [6].

Data Protection Officers (DPOs) are only mandatory in the circumstances set out in Art. 37(1) GDPR. Data transfers from public registers are not subject to specific rules [7].

It is essential to note that the GDPR and the Data Protection Act also apply to activities which fall outside the scope of EU law and when Sweden carries out activities relating to Sweden's participation in formulation of EU foreign and security policy [8].

Administrative fines may be imposed on public authorities in Sweden for breaches of the GDPR. The maximum fines are SEK 5 million (approx. €470,000) for infringements of Art. 83(4) GDPR and to max. SEK 10 million (approx. €940,000) for infringements of Arts. 83(5) & 83(6) GDPR [9].

For further information and services in Data, Privacy & Cybersecurity, Technology, AI, Fintech, Sports, and Privacy Advisory and Compliance, contact Dr. Detlev Gabel and Tim Hickman [10].

This publication is provided for convenience and does not constitute legal advice. It is protected by copyright and © 2019 White & Case LLP.

[1] Source: [Link to the original source, if available] [2] Source: [Link to the original source, if available] [3] Source: [Link to the original source, if available] [4] Source: [Link to the original source, if available] [5] Source: [Link to the original source, if available] [6] Source: [Link to the original source, if available] [7] Source: [Link to the original source, if available] [8] Source: [Link to the original source, if available] [9] Source: [Link to the original source, if available] [10] Source: [Link to the original source, if available]

  1. Under the GDPR in Sweden, only the personal data of living individuals is protected, as the regulation does not extend to deceased persons.
  2. Research involving deceased persons in Sweden may be subject to ethical review obligations if sensitive procedures or data are involved.
  3. There is no specific national law in Sweden that governs the processing of deceased persons' data beyond the ethical review process.
  4. The Swedish Data Protection Authority, Datinspektionen, has no additional powers beyond those granted by the GDPR and can only issue warnings, reprimands, and orders for GDPR breaches.
  5. The decisions of the Swedish Data Protection Authority may be appealed to an administrative court.
  6. Data Protection Officers (DPOs) are mandatory only under certain circumstances, and data transfers from public registers are not subject to specific rules.
  7. The GDPR and the Data Protection Act also apply to activities outside the scope of EU law and to Sweden's participation in formulation of EU foreign and security policy.
  8. Administrative fines can be imposed on public authorities in Sweden for GDPR breaches, with maximum fines of SEK 10 million for infringements of certain GDPR articles.
  9. For information and services in Data, Privacy & Cybersecurity, Technology, AI, Fintech, Sports, and Privacy Advisory and Compliance, contact Dr. Detlev Gabel and Tim Hickman at White & Case LLP's website, whitecase.com. This publication is provided for convenience and does not constitute legal advice. It is protected by copyright and © 2019 White & Case LLP.

Read also:

    Related

    Latest