Advanced Search

The Personal Data Ordinance (1998:1191)

Original Language Title: Personuppgiftsförordning (1998:1191)

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.
Introductory provision



section 1 of this regulation are given supplementary regulations

with regard to the processing of personal data within the scope of

personal data Act (1998:204).



Supervisory authority



section 2 of the Swedish Data Inspection Board is the supervisory authority in accordance with

personal data Act (1998:204).



Notification to the Data Inspection Board



paragraph 3 of the notification requirement pursuant to paragraph 36

personal data Act (1998:204) does not apply to the processing of

personal data



1. performed as a result of a government obligation under 2

Cape. freedom of the Press Act to disclose public action,



2. as a result of the provisions of the Archives Act (1990:782)

or archive Regulation (1991:446) is performed by a library authority,



3. which are governed by special rules of law or

Regulation in cases other than those mentioned in 1 and 2.



section 4 of the notification requirement pursuant to paragraph 36

personal data Act (1998:204) does not apply to the processing of

personal data in running text or unstructured

material referred to in section 5 (a) the personal data Act. Regulation

(2006:1221).



section 5 of the notification requirement pursuant to paragraph 36

personal data Act (1998:204) does not apply to the processing of

sensitive personal data that is carried out pursuant to section 17 of the

the data protection act. The notification requirement does not apply

for such an organization equivalent to the treatment of other kinds

of personal information other than the sensitive personal data.



section 6 of the Data Protection Authority may provide for exceptions from the

the notification requirement pursuant to paragraph 36

personal data Act (1998:204) for those types of treatments

that is not likely to result in undue interference in

personal privacy.



section 7 of the Data Inspection Board, with automatic processing bring

a register of the processing operations involving personal data

notified to the supervisory authority in accordance with paragraph 36

personal data Act (1998:204).



Exceptions to the ban on processing of sensitive

personal data



8 § beyond what follows from 5 (a) and 15-19 §§

personal data Act (1998:204), the sensitive personal data

processed by an authority in running text if the data are

supplied in a case or is necessary for the processing of

the Regulation (2006:1221).



Processing of data relating to offences, etc.



9 § the Swedish Data Inspection Board may provide for exceptions from the

the prohibition provided for in section 21 of the personal data Act (1998:204) for other than

authorities to process personal data relating to offences

involving crime, criminal convictions, supervision measures

enforcement or administrative detention.

The Swedish data inspection Board may also, on a case by case basis, decide on the exemption

from the prohibition. Regulation (2001:582).



Ex-ante verification



10 repealed by Regulation (2013:22).



section 11 of the Data Inspection Board shall, in the case of treatment reported

There, according to specific rules for ex-ante verification in a

Constitution, in particular, decide whether there should be taken measures

on the occasion of the notification or not.

Regulation (2013:22).



Transfer of personal data to third countries



section 12 of a municipality or a County may transfer to a third country

of personal data contained in



1. a register specified in Chapter 5. section 2 of the public-and

secrecy (2009:400),



2. a notice of a meeting of the Council or a

Board,



3. a public notice of the meeting of the Council, or



4. an adjusted Protocol conducted at a meeting

with the Council or a Committee.



Personal data that directly identifies the data subject must not

be transferred. This prohibition does not apply to personal data

related to an elected official, when it comes to his or her

Mission. The ban does not apply if



1. other personal data relating to the data subject is not

those referred to in section 13 or 21 Act

(1998:204), and



2. There is no reason to believe that there is a risk that the

data subject's right to privacy is violated by the transfer.



Social security number or co-ordination number must never be passed.



The first – third paragraphs also applies to a

municipal unions. With the Council within the meaning of such a case in

rather than Federal Council or förbundsdirektionen and with

the Board referred to such an authority as defined in Chapter 3. 25 section

paragraph local Government Act (1991:900). Regulation (2010:293).



13 § personal information may be transferred to third countries



1. If and to the extent to which the European Commission has

noted that the country has an adequate level of protection of

personal data in accordance with article 25(6) of

European Parliament and Council Directive 95/46/EC of 24

October 1995 on the protection of individuals with regard to the

the processing of personal data and on the free movement of

such information, or



2. where the personal data is transferred pursuant to a

agreements containing such standard contractual clauses

the Commission in accordance with article 26(4) of the directive have decided

offers sufficient guarantees to private life and

individuals ' fundamental rights and freedoms are protected

and for the exercise of the corresponding rights.



Decision of the Commission referred to in the first subparagraph 1 are listed in

Annex 1 to this regulation. The annex shows that some

the decision applies only to transfers to such recipients

specified in the decisions.



Decision of the Commission referred to in the first subparagraph 2 stated in

Annex 2 to this regulation. Regulation (2010:193).

Regulation (2010:193).



13 AOF a carrier, such as by air transport passengers

to or from a third country, to the land transfer

personal data contained in the carrier's

passenger list (Passenger Name Record), if there is

According to the conditions as set out in an agreement between the

the third country and the European Union concerning the treatment and

transfer of data on air passengers.



Agreements referred to in the first subparagraph are set out in annex III

to this regulation. Regulation (2006:1221).



section 14 of the Swedish Data Inspection Board may provide for exceptions from the

the prohibition provided for in § 33 of the personal data Act (1998:204), for

third country transfer personal data during processing

and the transfer of personal data for processing in a third country

If there are sufficient guarantees for the protection of the

data subjects ' rights. The Swedish data inspection Board may also

same condition in individual cases may decide to derogate from

the ban. Regulation (2006:1221).



Inter-trade agreements



15 § the Swedish Data Inspection Board shall, at the request of an organisation

represent a significant proportion of the personuppgiftsansvariga within the

a particular industry or in a given area give an opinion over

draft agreements concerning the treatment of

personal data in the field or area

(sectoral agreement).



An opinion referred to in the first subparagraph shall be

industry the compliance with the personal data Act

(1998:204) and regulations governing the treatment

of personal data is concerned.



The inspection shall before giving opinion on appropriate

ensure that organizations representing the data subjects

had the opportunity to express their views on the proposals for

industry agreements. Regulation (2001:582).



Appropriations



section 16 of the Swedish Data Inspection Board may announce details relating to the



1. the cases in which the processing of personal data is permitted;



2. the requirements made on the officer,



3. the cases in which the use of social security numbers is allowed,



4. what a notification or application to a data controller

shall include,



5. the information to be provided to data subjects and

how the information is to be provided,



6. notification to the supervision authority and the procedure when notified

data has changed. Regulation (2001:582).



Assistance to persons registered abroad



section 17 of The resident in Sweden and which is or is likely to

be registered in a register which is covered by the Council of Europe

Convention on the protection of individuals with regard to automatic processing

of personal data in a country, which is connected to

the Convention, the Swedish Data Inspection Board to submit such

request for assistance referred to in article 14, paragraph 2, of the

Convention. The Swedish data inspection Board representation to convey

the other country.



The petition shall contain the



1. name, address and other information necessary to

identify the person making the request;



2. the register which the representation relates to or

responsible for the registry,



3. the purpose of the representation. Regulation (2001:582).



Transitional provisions



1998:1191



This Regulation shall enter into force on 24 October 1998 when

data Regulation (1982:480) is repealed.

Data regulation, however, is still in the case data law

(1973:289) shall be applied in accordance with the entry into force and

the transitional provisions of the Swedish personal data Act (1998:204).



2013:22



1. This Regulation shall enter into force on 1 March 2013.



2. Older rules applicable to notifications received

to the Data Inspection Board prior to the entry into force.



Annex 1/expires U: 2016-01-01-the European Commission has announced the following decisions in accordance with

Article 25(6) of Directive

95/46/EC. By decision 4, 5 and 9 shows that these decisions only

applies to transfers to certain specified recipients in

each country.



Third Countries Decision



Andorra 1. Commission decision 2010/625/EU of

October 19, 2010 in accordance with the

European Parliament and Council directive

95/46/EC on the adequate protection of

personal data of Andorra.



Argentina 2. Commission decision 2003/490/EC of

on 30 June 2003, in accordance with

European Parliament and Council directive

95/46/EC on the adequate protection of

personal data in Argentina.




The Bailiwick of Guernsey,

IE. the islands of Guernsey,

Alderney, Sark, Herm,

Jethou, Brecqhou (Brechou) and

Lihou 3. Commission decision 2003/821/EC of

on 21 november 2003 on the adequate protection of

personal data in Guernsey.



Faroe Islands 4. Commission decision 2010/146/EU of

on March 5, 2010 in accordance with the

European Parliament and Council directive

95/46/EC, if an adequate level of protection by

the Faroese Act concerning the processing of

personal data.



United States 5. Commission decision 2000/520/EC of

on 26 July 2000 pursuant to

European Parliament and Council directive

95/46/EC as to whether adequate protection

is ensured by the

privacy protection (Safe Harbour Privacy

Principles) in combination with questions

and the response by the us

the Department of Commerce issued.



Isle of Man 6. Commission decision 2004/411/EC of

on 28 april 2004 on the adequate protection of

personal data in the Isle of Man.



Israel 7. Commission decision 2011/61/EU of

on January 31, 2011 in accordance with

European Parliament and Council directive

95/46/EC, if an adequate level of protection at

automatic processing

personal information of the State of Israel.



Jersey 8. Commission decision 2008/393/EC of

on 8 May 2008, in accordance with

European Parliament and Council directive

95/46/EC on the adequate protection of

personal data in Jersey.



Canada 9. Commission decision 2002/2/EC of the

on 20 december 2001 in accordance with the

European Parliament and Council directive

95/46/EC on the adequate protection of

personal information by the Canadian

the law on electronic documents and

protection of personal data (Personal

Information Protection and Electronic

Documents Act).



New Zealand 10. Commission implementing decision

2013/65/EU of 19 december 2012 in

of the European Parliament and

Council Directive 95/46/EC, if an adequate

protection of personal information in New Zealand.



Switzerland 11. Commission decision 2000/518/EC of

on 26 July 2000 pursuant to

European Parliament and Council directive

95/46/EC on the adequate protection of

personal data in Switzerland.



Uruguay 12. Commission implementing decision 2012/484/EU of 21 August 2012 in

of the European Parliament and

Council Directive 95/46/EC, if an adequate

level of protection by automatic processing

of personal data in the Republic of Uruguay.

Regulation (2013:159).



Annex 1/shall enter into force in: 2016-01-01-the European Commission has announced the following decision under article 25(6) of Directive 95/46/EC. By decision 4 and 8 indicates that the decision applies only to transfers to certain specific recipients in their respective countries.



Third countries Decision



Andorra 1. Commission decision 2010/625/EU of 19 October 2010 in accordance with European Parliament and Council Directive 95/46/EC on the adequate protection of personal data in Andorra.



Argentina 2. Commission decision 2003/490/EC of 30 June 2003, in accordance with European Parliament and Council Directive 95/46/EC on the adequate protection of personal data in Argentina.



The Bailiwick of Guernsey, IE. the islands of Guernsey, Alderney, Sark, Herm, Jethou, Brecqhou (Brechou) and Lihou 3. Commission decision 2003/821/EC of 21 november 2003 on the adequate protection of personal data in Guernsey.



Faroe Islands 4. Commission decision 2010/146/EU of 5 March 2010 in accordance with European Parliament and Council Directive 95/46/EC, if an adequate level of protection by the Faroese Act concerning the processing of personal data.



Isle of Man 5. Commission decision 2004/411/EC of 28 april 2004 on the adequate protection of personal data in the Isle of Man.



Israel 6. Commission decision 2011/61/EU of 31 January 2011 in accordance with European Parliament and Council Directive 95/46/EC, if an adequate level of protection at the automatic processing of personal data in the State of Israel.



Jersey 7. Commission decision 2008/393/EC of 8 May 2008 pursuant to European Parliament and Council Directive 95/46/EC on the adequate protection of personal data in Jersey.



Canada 8. Commission decision 2002/2/EC of 20 december 2001 pursuant to Directive 95/46/EC on the adequate protection of personal information by the Canadian law of electronic documents and the protection of personal data (Personal Information Protection and Electronic Documents Act).



New Zealand 9. Commission implementing decision 2013/65/EU of 19 december 2012 in accordance with European Parliament and Council Directive 95/46/EC on the adequate protection of personal data in New Zealand.



Switzerland 10. Commission decision 2000/518/EC of 26 July 2000 pursuant to Directive 95/46/EC on the adequate protection of personal data in Switzerland.



Uruguay 11. Commission implementing decision 2012/484/EU of 21 August 2012 in accordance with European Parliament and Council Directive 95/46/EC, if an adequate level of protection at the automatic processing of personal data in the Republic of Uruguay.

Regulation (2015:741).



Annex 2



The European Commission has announced the following decisions in accordance with

Article 26(4) of Directive

95/46/EC.



1. Commission decision of 15 June 2001 on

standard contractual clauses for the transfer of personal data

to third countries pursuant to European Parliament and Council directive

95/46/EC and Commission decision of 27 december 2004

amending that decision.



2. the Commission's decision of 5 February 2010 on the

standard contractual clauses for the transfer of personal data

to processors established in third countries in accordance with

European Parliament and Council Directive 95/46/EC.

Regulation (2010:193).



Annex 3



Between the European Union and third countries shall be subject to the following

international agreements on the transfer of data in

air carriers ' passenger lists (Passenger Name

Record).



Third Country Agreement



The United States of America 1. Agreement on 26 July 2007 between

The European Union and the United

States of America on the processing

of passenger name record (PNR) and

the transfer of these to the United

States Department of Homeland

Security.



Australia 2. Agreement on 30 June 2008 between

The European Union and Australia on the

treatment of air carriers

passenger name record (PNR) from

The European Union and the transfer of

carriers to the Australian Customs Service.

Regulation (2008:750).