Introductory provision
section 1 of this regulation are given supplementary regulations
with regard to the processing of personal data within the scope of
personal data Act (1998:204).
Supervisory authority
section 2 of the Swedish Data Inspection Board is the supervisory authority in accordance with
personal data Act (1998:204).
Notification to the Data Inspection Board
paragraph 3 of the notification requirement pursuant to paragraph 36
personal data Act (1998:204) does not apply to the processing of
personal data
1. performed as a result of a government obligation under 2
Cape. freedom of the Press Act to disclose public action,
2. as a result of the provisions of the Archives Act (1990:782)
or archive Regulation (1991:446) is performed by a library authority,
3. which are governed by special rules of law or
Regulation in cases other than those mentioned in 1 and 2.
section 4 of the notification requirement pursuant to paragraph 36
personal data Act (1998:204) does not apply to the processing of
personal data in running text or unstructured
material referred to in section 5 (a) the personal data Act. Regulation
(2006:1221).
section 5 of the notification requirement pursuant to paragraph 36
personal data Act (1998:204) does not apply to the processing of
sensitive personal data that is carried out pursuant to section 17 of the
the data protection act. The notification requirement does not apply
for such an organization equivalent to the treatment of other kinds
of personal information other than the sensitive personal data.
section 6 of the Data Protection Authority may provide for exceptions from the
the notification requirement pursuant to paragraph 36
personal data Act (1998:204) for those types of treatments
that is not likely to result in undue interference in
personal privacy.
section 7 of the Data Inspection Board, with automatic processing bring
a register of the processing operations involving personal data
notified to the supervisory authority in accordance with paragraph 36
personal data Act (1998:204).
Exceptions to the ban on processing of sensitive
personal data
8 § beyond what follows from 5 (a) and 15-19 §§
personal data Act (1998:204), the sensitive personal data
processed by an authority in running text if the data are
supplied in a case or is necessary for the processing of
the Regulation (2006:1221).
Processing of data relating to offences, etc.
9 § the Swedish Data Inspection Board may provide for exceptions from the
the prohibition provided for in section 21 of the personal data Act (1998:204) for other than
authorities to process personal data relating to offences
involving crime, criminal convictions, supervision measures
enforcement or administrative detention.
The Swedish data inspection Board may also, on a case by case basis, decide on the exemption
from the prohibition. Regulation (2001:582).
Ex-ante verification
10 repealed by Regulation (2013:22).
section 11 of the Data Inspection Board shall, in the case of treatment reported
There, according to specific rules for ex-ante verification in a
Constitution, in particular, decide whether there should be taken measures
on the occasion of the notification or not.
Regulation (2013:22).
Transfer of personal data to third countries
section 12 of a municipality or a County may transfer to a third country
of personal data contained in
1. a register specified in Chapter 5. section 2 of the public-and
secrecy (2009:400),
2. a notice of a meeting of the Council or a
Board,
3. a public notice of the meeting of the Council, or
4. an adjusted Protocol conducted at a meeting
with the Council or a Committee.
Personal data that directly identifies the data subject must not
be transferred. This prohibition does not apply to personal data
related to an elected official, when it comes to his or her
Mission. The ban does not apply if
1. other personal data relating to the data subject is not
those referred to in section 13 or 21 Act
(1998:204), and
2. There is no reason to believe that there is a risk that the
data subject's right to privacy is violated by the transfer.
Social security number or co-ordination number must never be passed.
The first – third paragraphs also applies to a
municipal unions. With the Council within the meaning of such a case in
rather than Federal Council or förbundsdirektionen and with
the Board referred to such an authority as defined in Chapter 3. 25 section
paragraph local Government Act (1991:900). Regulation (2010:293).
13 § personal information may be transferred to third countries
1. If and to the extent to which the European Commission has
noted that the country has an adequate level of protection of
personal data in accordance with article 25(6) of
European Parliament and Council Directive 95/46/EC of 24
October 1995 on the protection of individuals with regard to the
the processing of personal data and on the free movement of
such information, or
2. where the personal data is transferred pursuant to a
agreements containing such standard contractual clauses
the Commission in accordance with article 26(4) of the directive have decided
offers sufficient guarantees to private life and
individuals ' fundamental rights and freedoms are protected
and for the exercise of the corresponding rights.
Decision of the Commission referred to in the first subparagraph 1 are listed in
Annex 1 to this regulation. The annex shows that some
the decision applies only to transfers to such recipients
specified in the decisions.
Decision of the Commission referred to in the first subparagraph 2 stated in
Annex 2 to this regulation. Regulation (2010:193).
Regulation (2010:193).
13 AOF a carrier, such as by air transport passengers
to or from a third country, to the land transfer
personal data contained in the carrier's
passenger list (Passenger Name Record), if there is
According to the conditions as set out in an agreement between the
the third country and the European Union concerning the treatment and
transfer of data on air passengers.
Agreements referred to in the first subparagraph are set out in annex III
to this regulation. Regulation (2006:1221).
section 14 of the Swedish Data Inspection Board may provide for exceptions from the
the prohibition provided for in § 33 of the personal data Act (1998:204), for
third country transfer personal data during processing
and the transfer of personal data for processing in a third country
If there are sufficient guarantees for the protection of the
data subjects ' rights. The Swedish data inspection Board may also
same condition in individual cases may decide to derogate from
the ban. Regulation (2006:1221).
Inter-trade agreements
15 § the Swedish Data Inspection Board shall, at the request of an organisation
represent a significant proportion of the personuppgiftsansvariga within the
a particular industry or in a given area give an opinion over
draft agreements concerning the treatment of
personal data in the field or area
(sectoral agreement).
An opinion referred to in the first subparagraph shall be
industry the compliance with the personal data Act
(1998:204) and regulations governing the treatment
of personal data is concerned.
The inspection shall before giving opinion on appropriate
ensure that organizations representing the data subjects
had the opportunity to express their views on the proposals for
industry agreements. Regulation (2001:582).
Appropriations
section 16 of the Swedish Data Inspection Board may announce details relating to the
1. the cases in which the processing of personal data is permitted;
2. the requirements made on the officer,
3. the cases in which the use of social security numbers is allowed,
4. what a notification or application to a data controller
shall include,
5. the information to be provided to data subjects and
how the information is to be provided,
6. notification to the supervision authority and the procedure when notified
data has changed. Regulation (2001:582).
Assistance to persons registered abroad
section 17 of The resident in Sweden and which is or is likely to
be registered in a register which is covered by the Council of Europe
Convention on the protection of individuals with regard to automatic processing
of personal data in a country, which is connected to
the Convention, the Swedish Data Inspection Board to submit such
request for assistance referred to in article 14, paragraph 2, of the
Convention. The Swedish data inspection Board representation to convey
the other country.
The petition shall contain the
1. name, address and other information necessary to
identify the person making the request;
2. the register which the representation relates to or
responsible for the registry,
3. the purpose of the representation. Regulation (2001:582).
Transitional provisions
1998:1191
This Regulation shall enter into force on 24 October 1998 when
data Regulation (1982:480) is repealed.
Data regulation, however, is still in the case data law
(1973:289) shall be applied in accordance with the entry into force and
the transitional provisions of the Swedish personal data Act (1998:204).
2013:22
1. This Regulation shall enter into force on 1 March 2013.
2. Older rules applicable to notifications received
to the Data Inspection Board prior to the entry into force.
Annex 1/expires U: 2016-01-01-the European Commission has announced the following decisions in accordance with
Article 25(6) of Directive
95/46/EC. By decision 4, 5 and 9 shows that these decisions only
applies to transfers to certain specified recipients in
each country.
Third Countries Decision
Andorra 1. Commission decision 2010/625/EU of
October 19, 2010 in accordance with the
European Parliament and Council directive
95/46/EC on the adequate protection of
personal data of Andorra.
Argentina 2. Commission decision 2003/490/EC of
on 30 June 2003, in accordance with
European Parliament and Council directive
95/46/EC on the adequate protection of
personal data in Argentina.
The Bailiwick of Guernsey,
IE. the islands of Guernsey,
Alderney, Sark, Herm,
Jethou, Brecqhou (Brechou) and
Lihou 3. Commission decision 2003/821/EC of
on 21 november 2003 on the adequate protection of
personal data in Guernsey.
Faroe Islands 4. Commission decision 2010/146/EU of
on March 5, 2010 in accordance with the
European Parliament and Council directive
95/46/EC, if an adequate level of protection by
the Faroese Act concerning the processing of
personal data.
United States 5. Commission decision 2000/520/EC of
on 26 July 2000 pursuant to
European Parliament and Council directive
95/46/EC as to whether adequate protection
is ensured by the
privacy protection (Safe Harbour Privacy
Principles) in combination with questions
and the response by the us
the Department of Commerce issued.
Isle of Man 6. Commission decision 2004/411/EC of
on 28 april 2004 on the adequate protection of
personal data in the Isle of Man.
Israel 7. Commission decision 2011/61/EU of
on January 31, 2011 in accordance with
European Parliament and Council directive
95/46/EC, if an adequate level of protection at
automatic processing
personal information of the State of Israel.
Jersey 8. Commission decision 2008/393/EC of
on 8 May 2008, in accordance with
European Parliament and Council directive
95/46/EC on the adequate protection of
personal data in Jersey.
Canada 9. Commission decision 2002/2/EC of the
on 20 december 2001 in accordance with the
European Parliament and Council directive
95/46/EC on the adequate protection of
personal information by the Canadian
the law on electronic documents and
protection of personal data (Personal
Information Protection and Electronic
Documents Act).
New Zealand 10. Commission implementing decision
2013/65/EU of 19 december 2012 in
of the European Parliament and
Council Directive 95/46/EC, if an adequate
protection of personal information in New Zealand.
Switzerland 11. Commission decision 2000/518/EC of
on 26 July 2000 pursuant to
European Parliament and Council directive
95/46/EC on the adequate protection of
personal data in Switzerland.
Uruguay 12. Commission implementing decision 2012/484/EU of 21 August 2012 in
of the European Parliament and
Council Directive 95/46/EC, if an adequate
level of protection by automatic processing
of personal data in the Republic of Uruguay.
Regulation (2013:159).
Annex 1/shall enter into force in: 2016-01-01-the European Commission has announced the following decision under article 25(6) of Directive 95/46/EC. By decision 4 and 8 indicates that the decision applies only to transfers to certain specific recipients in their respective countries.
Third countries Decision
Andorra 1. Commission decision 2010/625/EU of 19 October 2010 in accordance with European Parliament and Council Directive 95/46/EC on the adequate protection of personal data in Andorra.
Argentina 2. Commission decision 2003/490/EC of 30 June 2003, in accordance with European Parliament and Council Directive 95/46/EC on the adequate protection of personal data in Argentina.
The Bailiwick of Guernsey, IE. the islands of Guernsey, Alderney, Sark, Herm, Jethou, Brecqhou (Brechou) and Lihou 3. Commission decision 2003/821/EC of 21 november 2003 on the adequate protection of personal data in Guernsey.
Faroe Islands 4. Commission decision 2010/146/EU of 5 March 2010 in accordance with European Parliament and Council Directive 95/46/EC, if an adequate level of protection by the Faroese Act concerning the processing of personal data.
Isle of Man 5. Commission decision 2004/411/EC of 28 april 2004 on the adequate protection of personal data in the Isle of Man.
Israel 6. Commission decision 2011/61/EU of 31 January 2011 in accordance with European Parliament and Council Directive 95/46/EC, if an adequate level of protection at the automatic processing of personal data in the State of Israel.
Jersey 7. Commission decision 2008/393/EC of 8 May 2008 pursuant to European Parliament and Council Directive 95/46/EC on the adequate protection of personal data in Jersey.
Canada 8. Commission decision 2002/2/EC of 20 december 2001 pursuant to Directive 95/46/EC on the adequate protection of personal information by the Canadian law of electronic documents and the protection of personal data (Personal Information Protection and Electronic Documents Act).
New Zealand 9. Commission implementing decision 2013/65/EU of 19 december 2012 in accordance with European Parliament and Council Directive 95/46/EC on the adequate protection of personal data in New Zealand.
Switzerland 10. Commission decision 2000/518/EC of 26 July 2000 pursuant to Directive 95/46/EC on the adequate protection of personal data in Switzerland.
Uruguay 11. Commission implementing decision 2012/484/EU of 21 August 2012 in accordance with European Parliament and Council Directive 95/46/EC, if an adequate level of protection at the automatic processing of personal data in the Republic of Uruguay.
Regulation (2015:741).
Annex 2
The European Commission has announced the following decisions in accordance with
Article 26(4) of Directive
95/46/EC.
1. Commission decision of 15 June 2001 on
standard contractual clauses for the transfer of personal data
to third countries pursuant to European Parliament and Council directive
95/46/EC and Commission decision of 27 december 2004
amending that decision.
2. the Commission's decision of 5 February 2010 on the
standard contractual clauses for the transfer of personal data
to processors established in third countries in accordance with
European Parliament and Council Directive 95/46/EC.
Regulation (2010:193).
Annex 3
Between the European Union and third countries shall be subject to the following
international agreements on the transfer of data in
air carriers ' passenger lists (Passenger Name
Record).
Third Country Agreement
The United States of America 1. Agreement on 26 July 2007 between
The European Union and the United
States of America on the processing
of passenger name record (PNR) and
the transfer of these to the United
States Department of Homeland
Security.
Australia 2. Agreement on 30 June 2008 between
The European Union and Australia on the
treatment of air carriers
passenger name record (PNR) from
The European Union and the transfer of
carriers to the Australian Customs Service.
Regulation (2008:750).