Category Archives: Sweden


New checklist prepares organisations for the new EU regulation

<<The Data Inspection Board has developed a checklist as an aid to companies and other organizations that now must prepare for the EU Regulation on data protection of two years replaces the Data Protection Act.

In two years the EU Data Protection Regulation become applicable in Sweden and other member countries. The regulation applies directly to Swedish law and replaces the Data Protection Act. This has major consequences for companies and other organizations that collect and use personal information.

– Ordinance has similarities with the current Data Protection Act but also great differences. It is important to businesses, governments and other already starting to prepare for the new rules, says the Data Inspectorate General of Kristina Svahn Starrsjö.

The Data Inspection Board has developed a checklist that provides support in the preparatory work. The checklist is based on a model from the Data Inspectorate’s sister agency in the UK, The Information Commissioner’s Office.

The checklist includes 13 items including reports on new standards of integrity analyzes, documentation, the legal arguments that can be used when personal information is collected and handled, and what information they must provide to the people whose data it collects.

– The checklist is available and I encourage all organizations that handle personal information to download and go through it, says Kristina Svahn Starrsjö.

The Data Inspection Board has also published some 20 questions and answers about the upcoming EU regulation on data protection and will fall to organize training courses with a special focus on regulation.>>


Review done by the embassy visa handling

Data Inspection Board has now completed its examination of the embassies in Moscow and Addis Ababa handle personal information in its visa operations.

Several lawyers and an IT security specialist from the Data Inspection Board has in place examined how Swedish embassies in Moscow, Russia and Addis Ababa, Ethiopia, handle personal information in its visa operations.Review done by the embassy visa handling

– It is the first time that the Data Inspection Board makes such a review, says the Agency’s international coordinator Elisabeth Wallin.

The Data Inspection Board has mainly controlled the embassies using the two EU-wide system VIS (Visa Information System) and SIS (Schengen Information System).

– There are two major IT systems that contain a large amount of data on many people. It is therefore important that the embassies are following the rules on which information can be recorded and ensures that the information is accurate and not be stored longer than necessary. It is also important that the visa applicant is informed about how their personal data and that the necessary security measures in place that protect data.

Data Inspectorate chose embassies in Moscow and Addis Ababa in part, after consultation with the Immigration Service and the Foreign Ministry but also because they represent two different activities in terms of categories of visa applicants, number of visa applications and other conditions.

– Our assessment is that the embassies have a good handle on the rules applicable, have the necessary procedures in place and consequently the processing of personal data of those seeking visas correctly summarizes Elisabeth Wallin.>>


Administrative Court: Yes, drones are subject to video surveillance law

<< Earlier this year felt the Administrative Court in Linköping ruled that a drone equipped with a camera is not subject to the rules in camera surveillance law, including on the grounds that the camera can be used only for a short time in the air and therefore are not set up in the legal sense.

But the drone flight time is not crucial for the surveillance law (COPD) shall apply, or did not mean the Data Inspectorate and the judgment under appeal.

Now the administrative court of appeal in Jönköping agrees with the Data Inspection line. The Court finds both that the camera is considered to be permanently set up and the camera can not be considered to be operated in place. “Therefore meets the current camera all the conditions for a permit surveillance camera according coal”, writes the right in its judgment.

The judgment making the rules clearer because the appeal now states that a drone with camera shall be subject to surveillance law, says Malin Ricknäs, a lawyer at the Swedish Data Inspection Board.

To shoot with drones in places to which the public has access requires a permit from the provincial government. If the provincial government authorizes it may impose conditions, for example, the place that gets filmed and at what time of day that filming may take place.>>


Objections in Principle to new government data law

The Data Inspection Board has objections in principle to the proposed new “myndighetsdatalag” (Government data law) and believes that the investigation does not sufficiently take into account the requirement for privacy protection as is available in both EU legislation that the Swedish Constitution.

A study has been commissioned by the government revising the legislation governing the state and municipal authorities processing of personal data. The report proposes a new government data law that apply generally to most authorities’ handling of personal data.

The Data Inspection Board has fundamental objections to how the law is designed. ECHR, the EU Charter of Fundamental Rights, the Data Protection Directive and the form of government gives citizens a right to protection of privacy and personal data concerning him or her. The Data Inspection Board believes that the inquiry does not take the requirements for protection sufficiently into account.

– Of course, the ambition must be to the public business should be conducted as efficiently and effectively as possible. It may not happen in a way that sets basic privacy mechanisms sidelined, says Data Inspectorate General of Kristina Svahn Starrsjö.

Within the EU, work is now ongoing to develop new legislation on data protection. The Data Inspection Board believes that it is therefore important for a Swedish government data law to wait until it is known the final EU legislation will be crafted. It is only then that it is clear whether it is at all possible for Sweden to introduce a new government data law.


The commission set up by the Swedish government has proposed a law that will include provisions concerning data processing in all state and municipal authorities. In response the Swedish DPA has produced a report on the proposals.

The data inspection board’s full report expressed concerns on both practical and principled grounds. The proposed official information act will largely replace the Swedish Personal Data Act , the primarily implementation of the Data Protection Directive (95/46 / EC). The comments also stated that the investigation did not have a mandate to include any proposals for any significant changes to if and how authorities may treat personal information, but that the commission’s proposal includes several significant deviations from the rules and principles currently governing authorities processing of personal data. The board also expressed concerns that the combined set of requirements between the new law and existing requirements would not create a clear regulatory regime.

The statement and the associated report represent an intervention by the Swedish data protection authority in the national legislative (legitimate given their role and expertise) which draws upon both the existing national laws as well as the existing EU data protection frameworks. It also clearly highlights the problem with revising national laws on data protection issues when the General Data Protection Regulation reform effort has not yet been completed. Waiting until this is completed will reveal what legal and administrative space there remains at the national level. The investigation has also found that a comprehensive settlement is more appropriate to meet the change that will occur by EU Data Protection Regulation.


Get integrity measures to strengthen the study on Swedish data storage

The Swedish Data Protection Authority comments upon a report by the Ministry of Justice on “Data storage and integrity” and believes that the integrity of the protective measures proposed in this report are too limited. The original study has been commissioned by the Ministry of Justice, which drafted a proposal on how the protection of personal integrity/privacy can be strengthened in the context of Swedish traffic data retention.

Storage of traffic data enables detailed mapping individuals in detail, resulting in great privacy risks, while it can be an important tool for law enforcement authorities. It is therefore necessary to ensure a well balanced legislation on data retention which clearly regulates access to information and ensure a proportionate balance between law enforcement and privacy, says the Swedish Data Inspection Board Director General Kristina Svahn Starrsjö.

In its opinion, the Data Inspection Board points to a number of flaws and shortcomings in the legislation such as the law enforcement authorities themselves deciding to take advantage of this traffic data intelligence instead of there being an independent review. The Data Inspection Board also believes that the commission’s analysis is inadequate in terms of the storage extent of the obligation and the importance people being made to feel they are under surveillance.

Because the legal situation is unclear, the Swedish DPA welcomes the EU Court of Justice determination of whether the Swedish data storage is compatible with European Union and European law.