Last review date: 27 December 2024
☒ the identity and the contact details of the controller and, where applicable, of the controller's representative
☒ the contact details of the data protection officer, where applicable
☒ the purposes of the processing for which the personal data is intended
☒ the legal basis for the processing
☒ the categories of personal data concerned
☒ the source from which the personal data originates, and if applicable, whether it came from publicly accessible sources
☒ the legitimate interests pursued by the controller or by a third party if processing is based on the legitimate interests ground
☒ the recipients or categories of recipients of the personal data, if any
☒ information regarding data transfers to third countries, where applicable, and reference to appropriate or suitable safeguards and the means by which by to obtain a copy of them or where they have been made available
☒ the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
☒ the existence of data subjects' rights, such as the right to access, rectification, erasure, data portability, etc.
☒ the existence of the right to withdraw consent if processing is based on consent
☒ the right to lodge a complaint with a supervisory authority
☒ whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data
☒ if applicable, information regarding automated decision making, including profiling
Note that the Swedish DPA issued an administrative fine to a bank for the amount of SEK 7.5 million (approx. USD 719,000) for its failure to fulfil its information and transparency requirements in relation to its data subjects. The Swedish DPA's decision includes comments on how a data controller should fulfil the basic principle of transparency and the data subjects' right to information.
Last review date: 27 December 2024
Yes.
Data subjects have the following data privacy rights, although the specifics of the scope and conditions for each of these vary depending on the circumstances and local law:
☒ right to access the data subject's own personal data
☒ right to rectify/correct the data subject's own personal data where inaccurate or incomplete
☒ right to erasure of personal data
☒ right to restrict data processing
☒ right to data portability
☒ right to object to the processing of personal data
☒ right to withdraw consent
☒ other
right to claim damages
Note that the Swedish DPA has issued a large administrative fine for non-compliance with the data subject's right of access under Art. 15 of the GDPR.
Last review date: 27 December 2024
Yes.
There are accountability and governance requirements to:
☒ take privacy by default and design measures for all processing of personal data
☒ perform and document data protection impact assessments (DPIAs) for high-risk processing:
The Swedish Authority for Privacy Protection issued a list of examples of processing activities for which DPIAs shall be made (available only in Swedish here).
☒ maintain a record of processing activities
☒ implement appropriate measures to comply with data privacy and cybersecurity
☒ demonstrate compliance with data privacy and cybersecurity
☒ identify a specific individual as the data privacy contact for data subject or data protection authority inquiries
☒ provide training to employees
☒ audit or supervise data processors
☒ appoint a local representative in the jurisdiction (if the controller or processor is not located in the jurisdiction)