|
SWEDEN
The Swedish Data
Protection Board website:
http://www.datainspektionen.se/in-english/
The Personal Data Act 1998:
http://www.sweden.gov.se/content/1/c6/01/55/42/b451922d.pdf
What needs to be done prior to
collection?
NOTIFY THE DATA PROTECTION BOARD
Section 36 – Notification Duty
Processing of personal data that is
completely or partially automated is subject to a notification duty.
The controller of personal data shall provide a written notification
to the supervisory authority before such processing or a set of such
processing with the same or similar purpose is conducted.
If the controller of personal data
appoints a personal data representative, this shall be notified to
the supervisory authority. Removal from office of a personal data
representative shall also be notified to the supervisory authority.
The Government or the authority
appointed by the Government may issue regulations concerning
exemptions to the notification duty under the first paragraph for
such kinds of processing as would probably not result in an improper
intrusion of personal integrity.
Section 37 – Notification need not be made if
there is a personal data representative
Notification under section 36, first
paragraph, need not be made if the controller of personal data has
given notice to the supervisory authority that a personal data
representative has been appointed and who she/he is.
CONTACT THE REGISTERED PERSON
Information should be provided
voluntarily
Section 23 – Information to the
Registered Person
If data about a person is collected
from the person him/herself, the controller of personal data shall
in conjunction therewith voluntarily provide the registered person
with information about the processing data
Section 24 – Information to the
Registered Person
If personal data has been collected
from another source than the registered person, the controller of
personal data shall voluntarily provide the registered person with
information about the processing of the data when it is registered.
However, if the data is intended to be disclosed to a third party,
the information need not be given before the data has been disclosed
for the first time.
Information under the first paragraph
need not be provided if there are provisions concerning the
registration or disclosure of personal data in an act or some other
enactment
Nor need information be provided in
accordance with the first paragraph, if it proves to be impossible
or would involve a disproportionate effect. However, if the data is
used to take measures concerning the registered person, the
information shall be provided at the latest in conjunction with that
happening.
The Information that must be provided
voluntarily
Section 25 – Information to the
Registered Person
Information under Section 23 or
Section 24 shall comprise
(a)
Information concerning the identity of
the controller of personal data,
(b)
Information concerning the purpose of
the processing; and
(c)
All other information necessary in order
for the registered person to be able to exercise his/her rights in
connection with the processing, such as information about the
recipients of the information, the obligation to provide
information and the right to apply for information and obtain
rectification
However, information need not be
provided regarding such matters as the registered person already
knows of.
What needs to be done prior to
shipping?
Section 33 – Prohibition of transfer
of personal data to a third country
It is prohibited to transfer to a
third country personal data that is undergoing processing unless the
third country has an adequate level of protection for personal data.
The provision also applies to transfer of personal data for
processing in a third country.
The adequacy of the level of
protection afforded by a third country shall be assessed in the
light of all the circumstances surrounding the transfer. Particular
consideration shall be given to the nature of the data, the purpose
of the processing, the duration of the processing, the country of
origin, the country of final destination and the rules that exist
for processing in the third country.
Section 34 – Exemptions from the
prohibition of transfer of personal data to a third country
Notwithstanding the provision in
Section 33, it is permitted to transfer personal data to a third
country if the registered person has given his/her consent to the
transfer or if the transfer is necessary for:
(a)
The performance of a contract between
the registered person and the controller of personal data or the
implementation of precontractual measures taken in response to the
request of the registered,
(b)
The conclusion of performance of a
contract between the controller of personal data and a third party
which is in the interest of the registered person,
(c)
The establishment, exercise or defence
of legal claims, or
(d)
The protection of vital interests of the
registered person
It is also permitted to transfer
personal data for use only in a state that has acceded to the
Council of Europe Convention for the Protection of Individuals with
regard to Automatic Processing of personal data.
What are the sanctions for
non-compliance?
Section 48 - Damages
The controller of personal data shall
compensate the registered person for damages and the violation of
personal integrity that the processing of personal data in
contravention of this Act has caused.
The liability to pay compensation
may, to the extent that it is reasonable, be adjusted if the person
providing personal data proves that the error was not caused by him
or her.
Section 49 – Penalties
A person who intentionally or by
carelessness:
-
transfers personal data to a third
country in contravention of Sections 33 – 35
-
Omits to give notification under Section
36
Shall be sentenced to a fine or
imprisonment of at most six months, or, if the offence is grave, to
imprisonment of at most two years.
A sentence shall not be imposed in
petty cases.
Please refer to the Swedish Data
Protection Board website for more details on the Statute.
|
