Laws and regulations
Laws and ordinances
The GDPR (General Data Protection Regulation) is an EU-wide law, but it is complemented with laws and regulations in each country. In addition to laws and regulations, Sweden has carried out a range of preliminary work that shows the intention of legislators. GDPR regulates aspects such as:
- What is personal data?
- What is sensitive personal data?
- What is the legal basis for processing personal data?
- What rights do data subjects have?
- Each country is to have a supervisory authority.
Below are links to the EU’s GDPR in Swedish and English. The documents open in a new window.
- EU General Data Protection Regulation – Swedish version (PDF, 9.83 MB)
- EU General Data Protection Regulation – English version (PDF, 9.83 MB)
Swedish supplementary regulations
Data Protection Act
In Sweden, there is a new Data Protection Act that complements the EU regulation. The Swedish Data Protection Act states that:
- the act or other ordinance, collective agreement or a decision that has been communicated with the legal authority of the act or other ordinance constitute a legal obligation
- a public task is to be covered by the act or other ordinance, collective agreement or a decision that has been communicated with the legal authority of the act or other ordinance
- personal identity numbers warrant special protection
- administrative penalties may be charged by public authorities.
Data Protection Act (2018:218) (PDF, 1.15 MB)
Data Protection Ordinance
There are also complementary provisions to the EU’s GDPR, which among other things stipulate the procedure for administrative penalties. The document below is in Swedish.
Data Protection Ordinance (2018:219) (PDF, 4.94 MB)
The conclusions of the investigations include in-depth discussion on the consequences of the new EU regulation. Three of the reports are of special interest to the higher education sector. Below are links to the reports. The documents are in Swedish.
- SOU 2017:39 New Data Protection Act, May 2017, in Swedish (PDF, 2.99 MB)
- SOU 2017:49 The EU’s GDPR and the education sector (PDF, 2.43 MB)
- SOU 2017:50 Personal data processing for research purposes (PDF, 2.32 MB)
The arguments and proposals were then processed by the Government which in turn put forward three different bills that present their proposals. These bills were then passed by the Swedish parliament. All the documents below are in Swedish.
Bill 2017/18:105 New data protection act
Here the Government states among other things that the Public Access to Information and Secrecy Act and the Archives Act continue to apply in the same way as today.
2017/18:105 New data protection act, in Swedish, (PDF, 2.58 MB)
Bill 2017/18:218 Processing of personal data in the higher education sector
Here the Government states among other things that:
- education is a public task. This means that the university is allowed to process personal data that is necessary for conducting education.
- education is also a matter of important public interest. This may entail the processing of sensitive personal data in certain cases.
Bill 2017/18:298 Processing of personal data for research purposes
Lund University has an external Data Protection Officer; Secure State Cyber AB and the contact person at Secure State Cyber AB is Sanja Hebib.
Do you have questions regarding data protection - please contact:
dataskyddsombud [at] lu [dot] se (dataskyddsombud[at]lu[dot]se)