Support Centre

Sweden

Summary

Law: The primary pieces of legislation are the Act with Supplementary Provisions to the GDPR (SFS 2018:218) (only available in Swedish here) (an unofficial English version of the Act is available here) (the Act), Ordinance with Supplementary Provisions to the GDPR (SFS 2018:219) (only available in Swedish here) (an unofficial English version of the Ordinance is available here) (the Ordinance) and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator: The Swedish Authority for Privacy Protection (IMY)

Summary: The GDPR was implemented through a variety of pieces of legislation including the Act with supplementary provisions to the GDPR (SFS 2018:218) (only available in Swedish here) (an unofficial English version of the Act is available here) (the Act) and the Ordinance with Supplementary Provisions to the GDPR (SFS 2018:219) (only available in Swedish here) (an unofficial English version of the Ordinance is available here) (the Ordinance).

However, although the Act and the Ordinance supplement the GDPR, they are subsidiary to other laws. This means that provisions in special laws which deviate from what is stated in the Act or the Ordinance will prevail, provided, of course, that the special law complies with the GDPR and concerns a matter which the GDPR allows to be separately regulated or specified in national law.

The Swedish Authority for Privacy Protection (IMY) is the relevant supervisory authority under, for example, the Swedish Criminal Data Act (SFS 2018:1177) (only available in Swedish here) (the Criminal Data Act), the Camera Surveillance Act 2018:1200 (only available in Swedish here) (the Camera Surveillance Act), the Swedish Patient Data Act (SFS 2008:355) (only available in Swedish here) (the Swedish Patient Data Act), and the Swedish Credit Information Act (SFS 1973:1173) (only available in Swedish here).

Insights

Article 37 of the General Data Protection Regulation (GDPR) obliges data controllers and processors to designate a data protection officer (DPO). As part of this obligation, data controllers and processors are also required to publish the contact details of the DPO and to communicate the DPO's contact details to relevant supervisory authorities. In part one of this Insight series, OneTrust DataGuidance focuses on the requirement to communicate DPO contact details to the relevant supervisory authorities, providing an overview of the rules and guidelines for DPO contact registration across Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.