Laws and regulations
Short cuts on the page
The GDPR is an EU-wide law, but it is complemented with laws and regulations in each country. In addition to laws and regulations, Sweden carried out a range of preliminary work that shows the intention of legislators.
The EU regulation regulates aspects such as:
- What is personal data?
- What is sensitive personal data?
- What is the legal basis for processing personal data?
- What rights do data subjects have?
- Each country is to have a supervisory authority.
Below are links to the EU’s General Data Protection Regulation in Swedish and English. The documents open in a new window.
- EU General Data Protection Regulation – Swedish version (9.83 MB)
- EU General Data Protection Regulation – English version (9.83 MB)
Data Protection Act
In Sweden, there is a new Data Protection Act that complements the EU regulation. The Swedish Data Protection Act states that:
- the act or other ordinance, collective agreement or a decision that has been communicated with the legal authority of the act or other ordinance constitute a legal obligation
- a public task is to be covered by the act or other ordinance, collective agreement or a decision that has been communicated with the legal authority of the act or other ordinance
- personal identity numbers warrant special protection
- administrative penalties may be charged by public authorities.
Data Protection Ordinance
There are also complementary provisions to the EU’s GDPR, which among other things stipulate the procedure for administrative penalties.
The conclusions of the investigations include in-depth discussion on the consequences of the new EU regulation. Three of the reports are of special interest to the higher education sector. Below are links to the reports. The documents open in a new window.
- Download SOU 2017:39 New Data Protection Act, May 2017, in Swedish (2.99 MB)
- Download SOU 2017:49 The EU’s GDPR and the education sector, June 2017, in Swedish (2.43 MB)
- Download SOU 2017:50 Personal data processing for research purposes, June 2017, in Swedish (2.32 MB)
The arguments and proposals were then processed by the Government which in turn put forward three different bills that present their proposals. These bills were then passed by the Swedish parliament.
- Bill 2017/18:105 New data protection act
Here the Government states among other things that the Public Access to Information and Secrecy Act and the Archives Act continue to apply in the same way as today.
- Bill 2017/18:218 Processing of personal data in the higher education sector
Here the Government states among other things that:
- education is a public task. This means that the University is allowed to process personal data that is necessary for conducting education.
- education is also a matter of important public interest. This may entail the processing of sensitive personal data in certain cases.
- Bill 2017/18:298 Processing of personal data for research purposes
dataskyddsombud [at] lu [dot] se
- Personal data controller – the organisation responsible for processing your personal data. In all but a few cases, Lund University is always the personal data controller.
- Data subject – the person whose personal data you collect and/or process.
- Data protection officer – the role and function responsible for Lund University’s compliance with the GDPR.
- The EU’s General Data Protection Regulation (GDPR) - The Swedish translation of GDPR is “Dataskyddsförordningen”.
- Data Protection Act – the Swedish national complement to the EU’s GDPR.