The purpose of this Act is to protect people against the violation of their personal integrity by processing of personal data.

If another statute or other enactment contains provisions that deviate from this Act, those provisions shall apply.

The Act is also applicable when the controller of personal data is established in a third country but for the processing of the personal data uses equipment that is situated in Sweden.  However, this does not apply if the equipment is only used to transfer information between a third country and another such country.

In the case referred to in the second paragraph, first sentence, the controller of personal data shall appoint a representative for himself who is established in Sweden. The provisions of this Act concerning the controller of personal data shall also apply to the representative.

The Act also applies to other processing of personal data, if the data is included in or is intended to form part of a structured collection of personal data that is available for searching or compilation according to specific criteria.

This Act does not apply to such processing of personal data that a natural person performs in the course of activities of a purely private nature.

The provisions of this Act are not applied to the extent that they would contravene the provisions concerning the freedom of the press and freedom of expression contained in the Freedom of the Press Act or the Fundamental Law on Freedom of Expression.

The provisions of Sections 9–29 and 33–44 and also Section 45, first paragraph, and Sections 47–49 shall not be applied to such processing of personal data as occurs exclusively for journalistic purposes or artistic or literary expression.

The provisions of this Act are not applied to the extent that they would limit an authority’s obligation under Chapter 2 of the Freedom of the Press Act to provide personal data.

Nor do the provisions prevent an authority from archiving or saving official documents or that archive material is taken care of by an archive authority. The provisions of Section 9, fourth paragraph, do not apply to the use by an authority of personal data in official documents.

b) personal data is always processed in a correct manner and in accordance with good practice,

d) personal data is not processed for any purpose that is incompatible with that for which the information is collected,

e) the personal data that is processed is adequate and relevant in relation to the purposes of the processing,

f) no more personal data is processed than is necessary having regard to the purposes of the processing,

h) all reasonable measures are taken to correct, block or erase such personal data as is incorrect or incomplete having regard to the purposes of the processing, and

i) personal data is not kept for a longer period than that as is necessary having regard to the purpose of the processing.

However, as regards the first paragraph, d), the processing of personal data for historical, statistic or scientific purposes shall not be regarded as incompatible with the purposes for which the information was collected.

Personal data may be kept for historical, statistic or scientific purposes for a longer time than that stated in the first paragraph i). However, personal data may not in such cases be kept for a longer period than is necessary for these purposes.

Personal data that is processed for historical, statistical or scientific purposes may be used in order to take measures as regards the person registered only if the person registered has given his/her consent or there is extraordinary reason having regard to the vital interests of the registered person.

Personal data may be processed only if the registered person has given his/her consent to the processing or if the processing is necessary in order

a) to enable the performance of a contract with the registered person or to enable measures that the registered person has requested to be taken before a contract is entered into,

e) that the controller of personal data or a third party to whom the personal data is provided should be able to perform a work task in conjunction with the exercise of official authority, or

f) that a purpose that concerns a legitimate interest of the controller of personal data or of such a third party to whom personal data is provided should be able to be satisfied, if this interest is of greater weight than the interest of the registered person in protection against violation of personal integrity.

Personal data may not be processed for purposes concerning direct marketing, if the registered person gives notice in writing to the controller of personal data that he/she opposes such processing.

In those cases where processing of personal data is only permitted when the registered person has provided his/her consent under Section 10, 15 or 34, the registered person is entitled to revoke at any time consent that has been given. Further personal data about the registered person may not subsequently be processed.

A registered person is not entitled, beyond that provided by the first paragraph and Section 11, to oppose such processing of personal data as is permitted under this Act.

Information of the kind referred to in the first and second paragraphs is designated as sensitive personal data in this Act.

Despite the prohibition of Section 13 it is permitted to process sensitive personal data in those cases stated in Sections 15–19.

In Section 10 there are provisions concerning the cases in which processing of personal data is not permitted in any case whatsoever.

Sensitive personal data may be processed if the registered person has given his/her explicit consent to processing or in a clear manner publicised the information.

a) the controller of personal data should be able to comply with his/her duties or exercise his/her rights within employment law,

b) the vital interests of the registered person or some other person should be able to be protected and the registered person cannot provide his/her consent, or

Information that is processed on the basis of the first paragraph a) may be disclosed to a third party only if there is within employment law an obligation for the controller of personal data to do so or the registered person has explicitly consented to the provision.

Non-profit organisations with political, philosophical, religious or trade union objects may within the framework of their operations process sensitive personal data concerning the members of the organisation and such other persons who by reason of the objects of the organisation have regular contact with it. However, sensitive personal data may be provided to a third party only if the registered person explicitly consents to it.

Sensitive personal data may be processed for health and hospital care purposes, provided the processing is necessary for

A person who is professionally operational within the health care sector and is subject to a duty of confidentiality may also process sensitive personal data that is subject to the duty of confidentiality. This also applies to the person who is subject to a similar duty of confidentiality and who has received sensitive personal data from the operation within the health care sector.

Sensitive personal data may be processed for research and statistics purposes, provided the processing is necessary in the manner stated in Section 10 and provided the interest of society in the research or statistics project within which the processing is included is manifestly greater than the risk of improper violation of the personal integrity of the individual that the processing may involve.

If the processing has been approved by a research ethics committee, the prerequisites under the first paragraph shall be deemed satisfied. Research ethics committee means such special body for consideration of research ethics issues that has representatives for both the public and the research and that is linked to a university or a university college or to some other instance that to a very substantial extent funds research.

Personal data may be provided to be used in such projects referred to in the first paragraph, unless otherwise provided by the rules on secrecy and confidentiality.

The Government or the authority appointed by the Government may issue regulations on further exemptions from the prohibition in Section 13 if it is necessary having regard to an important public interest.

It is prohibited for other parties than public authorities to process personal data concerning legal offences involving crime, judgments in criminal cases, coercive penal procedural measures or administrative deprivation of liberty.

The Government or the authority appointed by the Government may issue regulations on exemptions from the prohibition in the first paragraph.

The Government may in an individual case decide on an exemption from the prohibition in the first paragraph. The Government may delegate power to the supervisory authority to make such decisions.

Information about personal identity numbers or classification numbers may, in the absence of consent, only be dealt with when it is clearly justified having regard to

If data about a person is collected from the person him/herself, the controller of personal data shall in conjunction therewith voluntarily provide the registered person with information about the processing of the data.

If personal data has been collected from another source than the registered person, the controller of personal data shall voluntarily provide the registered person with information about the processing of the data when it is registered. However, if the data is intended to be disclosed to a third party, the information need not be given before the data has been disclosed for the first time.

Information under the first paragraph need not be provided if there are provisions concerning the registration or disclosure of personal data in an act or some other enactment.

Nor need information be provided in accordance with the first paragraph, if it proves to be impossible or would involve a disproportionate effort. However, if the data is used to take measures concerning the registered person, the information shall be provided at the latest in conjunction with that happening.

c) all other information necessary in order for the registered person to be able to exercise his/her rights in connection with the processing, such as information about the recipients of the information, the obligation to provide information and the right to apply for information and obtain rectification.

However, information need not be provided regarding such matters as the registered person already knows of.

The controller of personal data is liable to provide, to every natural person who requests it, free of charge notification once per annum of whether personal data concerning the applicant is processed or not. If such data is processed, written information shall also be provided about

An application under the first paragraph shall be made in writing to the controller of personal data and be signed by the applicant him/herself. Information under the first paragraph shall be provided within one month from when the application was made. However, if there are special reasons for so doing, the information may be provided not later than four months after when the application was made.

Information under the first paragraph does not need to be provided about personal data in running text that has not been given its final wording when the application was made or which comprises an aide memoire or the like. However, that stated here does not apply if the data has only been disclosed to a third party or if the data was only processed for historical, statistical or scientific purposes or, as regards running text that has not been given its final wording, if the data has been processed for a longer period than one year.

Exemptions from the obligation to provide information in the case of secrecy and duty of confidentiality

To the extent that it is specifically prescribed by a statute or other enactment or by a decision that has been issued under an enactment that information may not be provided to the registered person, the provisions of Sections 23–26 do not apply. A controller of personal data who is not an authority may in that connection in a corresponding case as referred to in the Secrecy Act (1980:100) refuse to provide information to the registered person.

The controller of personal data is liable at the request of the registered person to immediately rectify, block or erase such personal data that has not been processed in accordance with this Act or regulations that have been made under the Act. The controller of personal data shall also notify a third party to whom the data has been disclosed about the measure, if the registered person requests it or if more substantial damage or inconvenience for the registered person could be avoided by a notification. However, no such notification need be provided if it is shown to be impossible or would involve a disproportionate effort.

If a decision that has legal effects for a natural person or otherwise has manifest effects for the natural person, is based solely on automated processing of such personal data as is intended to assess the qualities of the person, the person who is affected by the decision shall have an opportunity to have the decision reconsidered by a person upon request.

Anybody who has been the subject of such a decision as is referred to in the first paragraph is entitled to on application obtain information from the controller of personal data about what has controlled the automated processing that resulted in the decision. As regards applications and provision of information, the applicable parts of the rules under Section 26 apply.

A personal data assistant and a person or those persons who work under the assistant’s or the controller of personal data’s direction may only process personal data in accordance with instructions from the controller of personal data.

There shall be a written contract on the processing by the personal data assistant of personal data on behalf of the controller of personal data. It shall be specifically stipulated in the contract that the personal data assistant may only process personal data in accordance with instructions from the controller of personal data and that the personal data assistant is liable to take those measures referred to in Section 31, first paragraph.

If there are special provisions in a statute or other enactment concerning processing of personal data in public operations as regards matters referred to in the first paragraph, these shall apply instead of that stated in the first paragraph.

The controller of personal data shall implement appropriate technical and organisational measures to protect the personal data that is processed. The measures shall provide a level ofsecurity that is appropriate having regard to

If the controller of personal data engages a personal data assistant, the controller of personal data shall ensure for him/herself that the personal data assistant can implement the security measures that must be taken and ensure that the personal data assistant actually takes the measures.

The supervisory authority may in an individual case decide on which security measures the controller of personal data shall implement in accordance with Section 31.

Section 45 contains rules about the powers of the supervisory authority to make the decision subject to a default fine.

It is prohibited to transfer to a third country personal data that is undergoing processing unless the third country has an adequate level of protection for personal data. The provision also applies to transfer of personal data for processing in a third country.

The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding the transfer. Particular consideration shall be given to the nature of the data, the purpose of the processing, the duration of the processing, the country of origin, the country of final destination and the rules that exist for the processing in the third country.

Notwithstanding the prohibition in Section 33, it is permitted to transfer personal data to a third country if the registered person has given his/her consent to the transfer or if the transfer is necessary for

a) the performance of a contract between the registered person and the controller of personal data or the implementation of precontractual measures taken in response to the request of the registered,

b) the conclusion or performance of a contract between the controller of personal data and a third party which is in the interest of the registered person,

It is also permitted to transfer personal data for use only in a state that has acceded to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.

The Government may issue regulations about exemptions from the prohibition in Section 33 of the transfer of personal data to certain states. The Government may also as regards automated processing of personal data issue regulations about transfer of personal data to a third country being permitted, provided the transfer is regulated by a contract that provides adequate safeguards to protect the rights of the registered person.

Furthermore, the Government or the authority appointed by the Government issue regulations about exemptions from the prohibition in Section 33, if this is necessary having regard to an important public interest or if there are adequate safeguards to protect the rights of the registered person.

The Government may, subject to the preconditions mentioned in the second paragraph, decide in individual cases on an exemption from the prohibition in Section 33. The Government may delegate power to the supervisory authority to make such decisions.

Processing of personal data that is completely or partially automated is subject to a notification duty. The controller of personal data shall provide a written notification to the supervisory authority before such processing or a set of such processing with the same or similar purpose is conducted.

If the controller of personal data appoints a personal data representative, this shall be notified to the supervisory authority. Removal from office of a personal data representative shall also be notified to the supervisory authority.

The Government or the authority appointed by the Government may issue regulations concerning exemptions to the notification duty under the first paragraph for such kinds of processing as would probably not result in an improper intrusion of personal integrity.

Notification under Section 36, first paragraph, need not be made if the controller of personal data has given notice to the supervisory authority that a personal data representative has been appointed and who he/she is.

The personal data representative shall have the function of independently ensuring that the controller of personal data processes personal data in a lawful and correct manner and in accordance with good practice and also points out any inadequacies to him or her.

If the personal data representative has reason to suspect that the controller of personal data contravenes the provisions applicable for processing personal data and if rectification is not implemented as soon as is practicable after being pointing out, the personal data representative shall notify this situation to the supervisory authority.

The personal data representative shall also otherwise consult with the supervisory authority in the event of doubt about how the rules applicable to processing of personal data shall be applied.

The personal data representative shall maintain a register of the processing that the controller of personal data implements and which would have been subject to the duty of notification if the representative had not existed. The register shall comprise at least the information that a notification under Section 36 would have contained.

The personal data representative shall assist registered persons to obtain rectification when there is reason to suspect that the personal data processed is incorrect or incomplete.

The Government may issue regulations providing that such processing of personal data as involves particular risks for improper intrusion of personal integrity shall be notified for preliminary examination, three weeks in advance, to the supervisory authority in accordance with Section 36. If the Government has issued such regulations, the exemption from the obligation to give notification under Section 37 does not apply.

The controller of personal data shall, to everybody who requests it, expeditiously and in an appropriate manner provide information about such automated or other processing of personal data that have not been notified to the supervisory authority. The information shall comprise that which a notification under Section 36, first paragraph, would have comprised. However, the controller of personal data is not responsible to provide information subject to secrecy or information about which security measures have been taken. In that connection, a controller of personal data who is not an authority may, in a case corresponding to those referred to in the Secrecy Act (1980:100), refuse to provide information.

b) information about and documentation of the processing of personal data and security of this processing, and

If the supervisory authority cannot, pursuant to a request under Section 43, obtain sufficient information in order to conclude that the processing of personal data is lawful, the authority may prohibit, subject to a default fine, the controller of personal data to process personal data in any other manner than by storing them.

If the supervisory authority concludes that personal data is processed or may be processed in an unlawful manner, the authority shall by a reminder or similar procedure endeavour to attain rectification. If it is not possible to obtain rectification in any other manner or if the matter is urgent, the authority may prohibit, subject to a default fine, the controller of personal data to continue processing the personal data in any other manner than by storing them.

If the controller of personal data does not voluntary comply with the decision concerning security measures under Section 32 that has entered into final legal force, the supervisory authority may prescribe a default fine.

Before the supervisory authority decides a default fine in accordance with Section 44 or 45, the controller of personal data shall have been given an opportunity to express him/herself.  However, if the matter is urgent the authority, pending the expression of views, may issue a temporary decision on a default fine. The temporary decision shall be reconsidered when the period for expressing views has expired.

An order for a default fine shall be served on the controller of personal data. Service under Section 12 of the Service Act (1970:428) may only be used if there is reason to assume that the controller of personal data has absconded or concealing him/herself in some other way.

The supervisory authority may at the County Administrative Court in the county where the authority is situated apply for the erasure of such personal data as has been processed in an unlawful manner.

The controller of personal data shall compensate the registered person for damages and the violation of personal integrity that the processing of personal data in contravention of this Act has caused.

The liability to pay compensation may, to the extent that it is reasonable, be adjusted if the person providing personal data proves that the error was not caused by him or her.

a) provides untrue information in such information to registered persons as is prescribed by this Act, or in the notification to the supervisory authority under Section 36 or to the supervisory authority when the authority requests information in accordance with Section 43,

d) omits to give notification under Section 36, first paragraph, or in accordance with regulations issued under Section 41,

shall be sentenced to a fine or imprisonment of at most six months or, if the offence is grave, to imprisonment of at most two years.

A person who has contravened an order subject to a default fine in accordance with Section 44 or 45, first paragraph, shall not be sentenced for liability for an act that is subject to the default fine order.

The Government or the authority appointed by the Government may issue more detailed regulations concerning

b) the requirements which are imposed on the controller of personal data when processing personal data,

e) which information shall be provided to the registered person and how information shall be provided, and

f) notification to the supervisory authority and procedure when information notified has been altered.

The supervisory authority’s decision in accordance with this Act, except as regards regulations, may be appealed against to a general administrative court.

The supervisory authority may decide that its decision should apply even if it has been appealed against.

2. As regards processing of personal data that commenced before the entry into force, or processing conducted for a particular decided purpose if processing for the purpose was commenced before the entry into force, the old act shall apply instead of the new act up to and including 30 September 2001. This also applies to the rules in the old act on appeals.

3. The rules of Sections 9, 10, 13 and 21 in the new act shall not start to be applied before 1 October 2007 as regards such manual processing of personal data as was commenced before the entry into force, or as regards manual processing that is conducted for a particular decided purpose if manual processing for the purpose was commenced before the entry into force.

4. As regards personal data that at entry into force are stored for historical research, the provisions of Sections 9, 10, 13 and 21 of the new act shall first begin to be applied when the information is processed in some other way. The corresponding rules in the old act shall be applied until then. However, the said rules in the new act shall not be applied before the time prescribed by 2 or 3 by reason of that stated here.

5. Notification under Section 36 of the new act may be made before the new act has entered into force for the processing in question.

6. Consent that has been provided before the new act has entered into force for the processing in question shall also apply after the entry into force provided the consent fulfils the requirements in the new act.

7. If a request for registration under Section 10 of the old act was received before the new act entered into force for the processing in question but has drawn out or not been carried out before entry into force, the request shall be considered to be an application under Section 26 of the new act.

8. The rules of the new act on damages shall only be applied if the circumstances to which the application relates have occurred before the new act has entered into force for the processing in question. In other cases the old rules apply.

This Ordinance provides supplementary regulations concerning such processing of personal data as is subject to the Personal Data Act (1998:204).

The duty of notification under Section 36, first paragraph, of the Personal Data Act (1998:204) does not apply to the processing of personal data

1. that is undertaken pursuant to an authority’s obligation under Chapter 2 of the Freedom of the Press Act to provide official documents,

2. that is undertaken by the archive authority pursuant to the provisions of the Archives Act (1990:782) or the Archives Ordinance (1991:446),

3. that is governed by specific regulations in a statue or enactment in other cases than those mentioned in items 1 and 2.

The duty of notification under Section 36, first paragraph, of the Personal Data Act (1998:204) does not apply for processing personal data in running text.

The duty of notification under Section 36, first paragraph, of the Personal Data Act (1998:204) does not apply to processing of sensitive personal data that is performed under Section 17 of the Personal Data Act. Nor does the duty of notification apply to the corresponding processing by such an organisation of other kinds of personal data than sensitive personal data.

The Data Inspection Board may issue regulations concerning exemptions from the duty of notification under Section 36, first paragraph, of the Personal Data Act (1998:204) for such types of processing as will be likely to result in improper intrusion of personal integrity.

The Data Inspection Board shall, by means of automated processing, maintain a register of the processing of personal data notified to the Inspection under Section 36, first paragraph, of the Personal Data Act (1998:204).

The Data Inspection Board may as regards automated processing of personal data issue regulations about exemptions from the prohibition in Section 21 of the Personal Data Act (1998:204) for persons, other than authorities, to process personal data concerning legal offences that comprise crime, judgments in criminal cases, coercive penal procedural measures or administrative deprivation of liberty. The Data Inspection Board may also decide in individual cases on exemptions from the prohibition.

The following automated processing of personal data shall, irrespective of whether they are subject to the duty of notification under Section 36 of the Personal Data Act or not, be notified for preliminary review to the Data Inspection Board not later than three weeks in advance:

1. processing of sensitive personal data for research purposes without consent of the person registered and which have not been approved by a research ethics committee in accordance with Section 19, second paragraph of the Personal Data Act (1998:204),

2. processing of personal data concerning hereditary disposition derived from genetic investigation.

The first paragraph does not apply to such processing of personal data as is governed by specific regulations in a statute or enactment.

The Data Inspection Board shall as regards such processing as is notified to it in accordance with Section 9 make a special decision about whether measures by reason of the notification should be taken or not.

The Data Inspection Board may as regards matters of automated processing issue regulations on exemptions from the prohibition in Section 33 of the Personal Data Act (1998:204) to transfer to a third country personal data that is being processed and to transfer personal data for processing to a third country if there are adequate safeguards to protect the rights of the person registered. The Data Inspection Board may also under the same preconditions decide in individual cases on exemptions from the prohibition.

The Data Inspection Board shall at the request of an organisation that represents a substantial part of the controllers of personal data within a particular branch or within a particular sector issue an opinion on proposals for agreements as regards processing of personal data within the branch or sector (branch agreement).

An opinion under the first paragraph shall relate to the compatibility of the branch agreement with the Personal Data Act (1998:204) and other ordinances governing the processing of personal data in question.

The Inspection shall, before it issues its opinion, if appropriate ensure that the organisations that represent the person registered have been given an opportunity to express their views on the proposals for a branch agreement.

The Data Inspection Board may on matters concerning automated processing of personal data issue further regulations concerning

5. which information should be provided to the registered person and how the information should be provided,

6. notification to the Inspection and the procedure when notified information has been altered.

A person who is resident in Sweden and who is or may be assumed to be registered in a register subject to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data in a country that has acceded to the Convention, may submit to the Data Inspection Board a request for support of the kind referred to in Article 14, Item 2 of the Convention. The Data Inspection Board shall pass on the request for protection by natural persons in automatic data processing of personal data to the other country.

This Ordinance enters into force on 24 October 1998, upon which the Data Ordinance (1982:480) ceases to apply. However, the Data Ordinance still applies in those cases where the Data Act (1973:289) shall be applied in accordance with the implementation and transitional rules for the Personal Data Act (1998:204).