Sweden’s Data Protection Commission Publishes Report on Adapting to the GDPR

In February 2016, the Swedish Government tasked a group of experts with evaluating how Swedish laws should be adapted to the EU General Data Protection Regulation (GDPR).

On May 12, 2017, Sweden’s Data Protection Commission (Betankande av Dataskyddsutredningen) published the evaluation on the Swedish Parliament’s (Riksdag’s) website.

Here some of the main points that we gathered from the report:

The overall mission of the report is to propose legislation that supplements the GDPR, and which does not expand or limit the possibilities for processing personal data beyond what is mandated by the GDPR.

Sweden’s Personal Data Act (1998:204) and Personal Data Ordinance (1998:1191) should be repealed and replaced by a new comprehensive national data protection law.

Sector-specific rules should be incorporated in draft legislation.

Additional protection should be provided for whistleblowers.

Derogations should be made for the use of personal data for journalistic or academic purposes, and artistic and literary creation, to be consistent with Sweden’s Fundamental Law on Freedom of Expression and Freedom of the Press Act.

The age requiring parental consent to process the personal data of children should be lowered to 13 (the GDPR sets the age at 16).

Provisions should be included that clarify how the various legal bases for processing, as outlined in the GDPR, should be applied and how. Legal basis should be established by the national archives, through regulations or decisions in individual cases.

The processing of sensitive personal data should only be allowed where explicitly permitted by the data subject or by specific exemption (e.g., in the fields of employment law, health care, social care, archiving and statistical research).

Processing of personal data concerning criminal offenses should continue to be allowed for law enforcement purposes.

The data subject right to access should not apply to data that is subject to secrecy regulations, such as that which is contained in running texts that constitute rough drafts or notes.

Provide clarification that data subjects are entitled to compensation as a result of infringements against Swedish data protection law supplementing the GDPR.

Provide an option to the Swedish DPA to impose administrative fines on organizations that violate the GDPR.

Confidentiality should apply to data protection officers (DPOs) where the DPO has gained knowledge of a private party’s personal or financial circumstances.

Organizations around the globe should start to take note of proposals like this, as EU member states begin efforts to adapt their national laws to the GDPR and make derogations to its applicable provisions.

As always, OneTrust will continue to track these developments as they occur.