Sweden

Sweden Image
LEG-01:

Legislation enacted specifically for data privacy?
– Personal Data Act 1998.

LEG-02:

Other legislation enacted that has sections that have some effect on data privacy?
– Electronic Communications Act 2003.
– Swedish Marketing Act 2008.
– Act (2008: 717) on Signals in the defense intelligence (SIG).
– The Privacy and Electronic Communications Regulations 2003 (PEC).

LEG-03:

The Country is a member of an organisation that implements guidelines for data privacy. Note: These guidelines are guidelines ONLY, each country which agrees and signs then needs to incorporate into legislation in some form.
– OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
– EU Data Protection Directive 1995/46/EC (DPD)v
– EU Privacy and Electronic Communications Directive 2002/58/EC (EUPEC)
– EU Regulation 45/2001/EC (CIB)
Notes: “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ” is full title of DPD.
“Regulation (Ec) No 45/2001 of the European Parliament and of the Council Of 18 December2000.
On the Protection of Individuals With Regard to the Processing of Personal Data by the Community.
Institutions and Bodies and on the Free Movement of Such Data” is the full title of CIB.

LEG-04:

Local government has any Bills going through the legislative process.
– Gerneral Data Protection Regulation
Notes: This will be a replacement for the current DPD (From 25 May 2018)

LEG-05:

Regulations, standards or guidelines that are implemented and followed that have relation to data privacy.
– Convention on Cybercrime 2001.
Notes: Signed but not implemented.

LEG-06:

Has other state laws related to privacy.

PRI-01:

There is a requirement to establish a privacy authority to oversee privacy issues.

PRI-02:

There is a requirement to establish a privacy commissioner.

PRI-03:

The functions of the authority clearly set out.
– Personal Data Act 1998 Section 43 – 47, 50.
– CIB Article 46.

PRI-04:

There is a requirement each company establishes their own privacy officer to ensure the company complies with policy..
Notes: Not as yet. It has been drafted in the updated EU Data Protection Framework (still to be adopted).

PRI-05:

Contact details of the privacy officer are made available.

PRI-06:

Each company to have an internal privacy policy proposed and displayed.

PRI-07:

An internal audit process is outlined for each company.

PCP-01:

“Personal Information” is defined which gives examples and a clear outline .
– Personal Data Act 1998 Section 3.
Notes: Personal data.

PCP-02:

“Sensitive Information” is defined which gives examples and a clear outline
– Personal Data Act 1998 Section 13.
Notes: Sensitive Personal Data.

PCP-03:

Other types of information are defined that is viewed differently to personal or sensitive information.

PCP-04:

Consent is required from the individual involved.
– Personal Data Act 1998 Section 10
– CIB Article 5 (d)

PCP-05:

Type of consent required is either explicit or implicit.
– Personal Data Act 1998 Section 15.
Notes: Explicit consent for sensitive personal data.

PCP-06:

Consent needs to be written or verbal.

PCP-07:

Level of consent different for different age groups .

PCP-08:

Consent may be withdrawn at any time.
– Personal Data Act 1998 Section 12.

PCP-09:

The purpose is explained to the individual which must be a lawful purpose.
– Personal Data Act 1998 Section 9.

PRO-01:

Individual has the ability to access their data by request.
– Personal Data Act 1998 Section 26.
– CIB Article 13.

PRO-02:

Individual has the ability to update or amend their data for accuracy.
– Personal Data Act 1998 Section 28.
– CIB Article 14.

PRO-03:

Data can be sent to a third party for processing.
– Personal Data Act 1998 Section 33.
– CIB Article 9 1, 6.

PRO-04:

Data is only used for the purposed outlined at pre collection stage.
– Personal Data Act 1998 Section 9.
– CIB Article 6 1.

PRO-05:

Encryption used for processing of data to ensure anonymity
– Personal Data Act 1998 Section 31.
Notes: Although encryption is not specified, encryption may be used if it is seen as a useful precaution.

PRO-06:

Unique identifiers can be used .

PRO-07:

Information may not be disclosed, sold or interfered with.
– Personal Data Act 1998 Section 48.
– CIB Article 22 2.

PRO-08:

Offences are set out to deal with disclosure or other interference with data during the processing stage.
– Personal Data Act 1998 Section 49.

PRO-09:

A complaints process is setup to deal with any breach of privacy.

STO-01:

All data is stored with at least a “reasonable” level of security.
– Personal Data Act 1998 Section 31.
– CIB Article 22 1.

STO-02:

Encryption techniques used to store data.
– Personal Data Act 1998 Section 31
– CIB Article 4 1 (e)
Notes: Although encryption is not specified, encryption may be used if it is seen as a reasonable protection method.

STO-03:

Data can be transferred to third-parties to use.
– Personal Data Act 1998 Section 10 e, 28.
– CIB Articles 7 – 9.

STO-04:

Data can be stored off shore in different Country.
– Personal Data Act 1998 Section 34.
– CIB Articles 22 1.
Notes: Although storage is not specified, storage may be off shore if it is seen as a useful precaution.

STO-05:

Data can be stored off site but in same Country.
– Personal Data Act 1998 Section 31.
– CIB Articles 22 1.
Notes: Although storage is not specified, storage may be off site if it is seen as a useful precaution.

STO-06:

Information is only kept by the collection agency for the least amount of time necessary needed for the outlined purpose to be fulfilled.
– Personal Data Act 1998 Section 9 i.
– PEC Section 26.
– CIB Article 4 1 (e).

STO-07:

Policies in place for destroying of data once consent is withdrawn or data is no longer needed.
– Personal Data Act 1998 Section 9 h.
Notes: The Act and the CIB both refer to “processing” which covers a variety of operations, including erasing or destroying data.

STO-08:

Offences are set out to deal with disclosure or other interference with data while it is stored.
– Personal Data Act 1998 Section 49.
Notes: Does not specify storage.

STO-09:

Notification has to be given to individuals in case of a data breach.

STO-10:

Policy in place in case data collection agency ceases to operate.

STO-11:

Policy in place in case data collection agency is sold.

SPM-01:

A clear unsubscribe feature is available.
– The Marketing Act 2008 Section 20.
Notes: Not clear but gives the recipient the option to refuse.

SPM-02:

Commercial electronic messages contain clear and accurate contact information about the sender.
– The Marketing Act 2008 Section 19.
– PEC Section 23.

SPM-03:

Subject line to be clear and not misleading.

SPM-04:

Addresses are obtained legally, not using means such as address harvesting tools and other software to obtain them.
– The Marketing Act 2008 Section 19.

SPM-05:

A form of a “Do Not Call” register is in place.

SPM-06:

Unsolicited commercial electronic messages are prohibited within the country.

SPM-07:

Unsolicited commercial electronic messages are prohibited to other countries.

INT-01:

A data collection agency required to notify the individual if they have been requested to hand over personal information.
– SIG Section 11 a.
Notes: Can be postponed.

INT-02:

A data collection agency can refuse to turn over personal information.

INT-03:

A warrant is needed to have the ability to intercept personal data.
– Electronic Communications Act 2003 Chapter 6 Section 22.
Notes: Warrant not always needed.

INT-04:

Network operators and service providers have network design guidelines to follow to allow for interception execution.

INT-05:

External countries have the ability to intercept data with permission from the host country.
-SIG Section 9.