Last review date: 27 December 2024

Yes.

The following are potential legal bases for processing personal data:

☒   the data subject has provided consent to the processing for the identified purposes

☒   the personal data is necessary to perform a contract with the data subject

☒   the personal data is necessary to comply with a legal obligation

☒   the personal data is necessary to protect the vital interests of a natural person

☒   the personal data is necessary for a public interest

☒   the personal data is necessary to fulfil a legitimate interest of the controller or third party (provided that the interest is not overridden by the data subject's privacy interests and the data subject has not made use of his/her right to object)

☒   other

Please see section 8 regarding personal data or sensitive personal data in the employment context.

Last review date: 27 December 2024

Yes.

The following are potential legal bases for processing special categories of personal data:

☒  the data subject has given consent to the processing, where consent is measured to a higher standard than for non-sensitive personal data (for example, additional requirement for consent to be "explicit")

☒   processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law

☒   processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent

☒   processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and further conditions

☒   processing relates to personal data which are manifestly made public by the data subject

☒   processing is necessary for the establishment, exercise or defense of legal claims

☒   processing is necessary for reasons of substantial public interest

☒   processing is necessary for the purposes of medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

☒   processing is necessary for reasons of public interest in the area of public health

☒   processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

☒   other

Note that processing of special categories of personal data (sensitive personal data) requires both a legal basis under Article 6 of the GDPR and a separate condition / exception for processing under Article 9 of the GDPR.

Private bodies may process special categories of personal data for health and social care purposes, archiving in the public interest if prescribed by law, and statistics, where the statistical purpose clearly outweighs the risk of intrusion of the data subject's integrity.

Processing of national personal identity numbers is subject to additional requirements for processing. Where there is no consent, the processing needs to be clearly justified by its purpose, the importance of positive identification, or another noteworthy reason.

According to Sections 6 and 7 of the The Swedish DPA regulations on the processing of personal data related to criminal offenses (IMYFS 2024:1), which was admitted in November 2024, certain companies are permitted to process such personal data as referred to in Article 10 GDPR (personal data related to criminal offenses) for the purpose of screening, for example, customers, suppliers, and employees against third country sanctions lists.

Following IMYFS 2024:1, companies under the inspection of the Swedish Inspectorate of Strategic Products or the Swedish Radiation Safety Authority  are in some instances permitted to screen and process personal data, with certain limitations, against third countries sanction lists.

Furthermore, companies under the supervision of the Swedish Financial Supervisory Authority (FI) have also been granted the ability to process personal data related to criminal offenses for screening against sanctions lists. However, in order for the data processing to be deemed permissible, such processing must be necessary to comply with the Swedish Act (2017:630) on Measures against Money Laundering and Terrorist Financing, other regulations, or rules in the financial market area issued by foreign authorities, EU bodies, or intergovernmental organizations.

It should be noted that, in order for the exemptions set out in IMYFS 2024:1 to be applicable, the processing of the data must be necessary to comply with mandatory regulations and rules. The evaluation concerning if the data processing is to be deemed necessary, should be conducted taking into account the same variables as set out in Article 6.1GDPR.

Lastly, the regulation also stipulates that sanctions lists against which the screening is conducted has to have been established through a democratic process and made publicly available on the websites of issuing authorities or intergovernmental organizations in order for the data processing to be deemed permissible. Internal lists created by individual companies or corporate groups are therefore not covered by the provisions.

Last review date: 27 December 2024

Yes.

In accordance with the UN Convention on the Rights of the Child (ratified by all EU Member States), a child is a person under the age of 18 years. However, in the case of the special provision on consent to the processing of personal data for the use of information society services, a child of 13 years may give valid consent.

Last review date: 27 December 2024

☒   in the context of information society services (e.g., a commercial website) only if processing is based on consent

Last review date: 27 December 2024

☒   consent must be given or authorized by the parent/ guardian of the minor

☒   additional data subject rights are granted to minors (e.g., deletion, access, transparency)

Note that data controllers have an obligation in accordance with the transparency measures addressed to children (Article 12(1) of the GDPR and Recitals 38 and 58).