Last review date: 27 December 2024

☒   omnibus – all personal data 

☒   sector-specific

E.g., telecoms/electronic communications, healthcare sector, camera surveillance, credit reference agencies and debt recovery agencies

☒   constitutional

Last review date: 27 December 2024

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

• EU General Data Protection Regulation
• Swedish Personal Data Protection Act
• Swedish Personal Data Protection Regulation
• Swedish Criminal Data Act

The Swedish Criminal Data Act (implementing the EU Data Protection Law Enforcement Directive) applies to personal data processing within law enforcement activities such as the Swedish Police Authority and hospitals if someone is sentenced to compulsory psychiatric care.

• Swedish Camera Surveillance Act

The Swedish Camera Surveillance Act supplements the EU GDPR and applies to processing of personal data in connection with camera surveillance.

• Swedish Patient Data Act

The Swedish Patient Data Act stipulates requirements for public and private healthcare providers' personal data processing in relation to healthcare activities, including the obligation to keep medical records.

• Swedish Police Data Act

  The Swedish Police Data Act supplements the Swedish Criminal Data Act in relation to personal data processing carried out by the Swedish Police Authority, the Swedish Economic Crime Authority, and the Swedish Security Service.

• Swedish Electronic Communications Act

The Swedish Electronic Communications Act covers electronic communications networks, services imposing certain extended legal requirements for companies with significant market power and influence. The act includes certain provisions to enhance the security and integrity of electronic communications requiring operators to take appropriate measures to manage risks. The act also outlines the responsibilities of the Swedish Post and Telecom Authority, which is the supervising authority.

The act regulates the use of cookies. For example, the law states that operators must obtain user consent before storing or accessing information on a user’s device, such as through cookies. Users must be informed about the purpose of the data collection and given the option to refuse. Storage and access of data is, however, permitted without consent if it is needed for the transmission of electronic messages or necessary for the providing of a service that has been explicitly requested by the user.

Last review date: 27 December 2024

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

• Swedish Act on Information Security for Essential Services and Digital Services

The Swedish Act on Information Security for Essential Services and Digital Services (implementing the EU Directive on Security of Network and Information Systems, the NIS Directive) stipulates cybersecurity requirements for essential services and digital services. The Swedish Act on Information Security for Essential Services and Digital Services applies to providers of essential transport with its primary establishment in Sweden, and to providers of digital services with its primary establishment in Sweden, e.g., online marketplaces, search engines and cloud services. Please see below for further information on the Swedish implementation of the NIS2 Directive.

Note that the EU Dual-Use Regulation may be applicable to cybersecurity solutions. This means that in the event that a cybersecurity solution is subject to control under the Dual-Use Regulation, and export controls subsequently apply, a license would be required in order to export the solution. 

Last review date: 27 December 2024 Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

• The Swedish Accounting Act (1999:1078) 

The Swedish Accounting Act regulates accounting, financial record keeping and reporting in Sweden. The act mandates an accurate collection and systematic recording of all business transaction. The Act also mandates that companies share relevant accounting information with auditors and relevant authorities.

Last review date: 27 December 2024

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

The NIS2 Directive, which in particular broadens the scope of application and also extends the relevant obligations in comparison to NIS, requires Member States to apply implementing measures from 17 October 2024. For Sweden, the government has through an inquiry presented its proposal for Swedish implementation of the NIS2 Directive with the proposed date of entry into force set to 1 January 2025. However, the new regulation in Sweden, following delays in the legislative procedure, will most likely not be entered into force until the summer of 2025.