Swedish GDPR Supplementary Act

Overview

The Act (2018:218) with Supplementary Provisions to the EU General Data Protection Regulation (Lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning), often referred to as the Swedish Data Protection Act or 'dataskyddslagen', serves as Sweden's national complement to the European Union's General Data Protection Regulation (EU) 2016/679 (GDPR). Enacted on April 19, 2018, and entering into force on May 25, 2018, concurrently with the GDPR, its primary purpose is to adapt and clarify the application of the GDPR within the Swedish legal framework. This supplementary act addresses areas where the GDPR allows for national derogations or specifications, ensuring a cohesive and comprehensive data protection regime in Sweden. It is crucial for understanding how personal data is processed in Sweden, particularly in sectors and situations where national law provides additional guidance or specific rules beyond the direct application of the GDPR.

The Act extends the application of GDPR provisions to certain areas not covered by Union law, such as activities related to national security, and provides specific rules for the processing of sensitive personal data, including social security numbers. It also outlines the powers and procedures for the Swedish supervisory authority, the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY), in enforcing data protection regulations. While the GDPR provides the overarching framework for data protection across the EU, the Swedish supplementary act ensures that the nuances of Swedish legal traditions and specific national needs are accommodated, creating a tailored approach to data privacy within the country. The historical context of this Act is rooted in Sweden's need to replace its previous national data protection legislation (such as the Personal Data Act, Personuppgiftslagen, PUL) with a framework fully compliant with the new, stricter EU standards set by the GDPR, thereby harmonizing data protection law across the EU while allowing for necessary national adaptations.

It is important to note that this Act is fundamentally a data protection law and does not directly address matters of pay equity, equal pay, or broader employment law concerning wage discrimination or transparency. Its provisions are focused on the lawful processing, storage, and protection of personal data, including data that might incidentally contain salary information, but not on the equitable distribution or disclosure of wages. Therefore, while it impacts how any personal data, including remuneration details, is handled, it does not establish or regulate pay equity principles, reporting obligations, or audit requirements. The Act's historical context is rooted in Sweden's need to align its national legislation with the comprehensive data protection standards set by the EU GDPR, replacing previous national data protection laws and ensuring a consistent approach to privacy across the Union.

Definitions

The Act (2018:218) primarily adopts the definitions established in the EU General Data Protection Regulation (GDPR). Section 1 of Chapter 1 explicitly states that terms and expressions in this Act have the same meaning as in the EU General Data Protection Regulation. Key terms, therefore, include 'personal data,' defined as any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This broad definition means that information like an employee's salary, if linked to their identity, constitutes personal data.

Other fundamental definitions adopted from the GDPR include 'processing,' which refers to any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. This encompasses virtually any action taken with personal data, from collecting an employee's bank details for payroll to storing their performance reviews. The Act also relies on the GDPR's definitions of 'data controller' (the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data) and 'data processor' (a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller). In an employment context, the employer is typically the data controller, and a payroll service provider might be a data processor.

Crucially, as a data protection law, the Act (2018:218) does not introduce or define terms specific to pay equity, equal pay, or employment law concepts such as 'comparable work,' 'equal remuneration,' 'pay gap,' or 'wage discrimination.' Its definitional scope is strictly limited to the realm of personal data protection, ensuring consistency with the overarching EU GDPR framework. Any data related to an individual's pay would fall under the general definition of 'personal data' if it can identify an individual, and its processing would be subject to the rules of this Act and the GDPR, but the Act does not define or regulate the *equity* of that pay. The Swedish Authority for Privacy Protection (IMY) is also implicitly defined as the national 'supervisory authority' responsible for overseeing compliance.

Covered Employers

The Act (2018:218) with Supplementary Provisions to the EU General Data Protection Regulation applies to the processing of personal data within the framework of activities conducted at the business premises of data controllers or data processors in Sweden. Its territorial scope largely mirrors that of the EU GDPR, meaning it applies to organizations established in Sweden that process personal data, regardless of whether the processing takes place in the EU or not. Furthermore, it extends to data controllers not established in Sweden but in a place where Swedish law is applicable according to international law. The Act also covers data controllers or data processors established only in third countries if the processed data pertains to data subjects located in Sweden and relates to offering goods or services to such data subjects, or monitoring their actions in Sweden, thereby ensuring broad extraterritorial application consistent with GDPR Article 3.

The Act does not establish specific size thresholds for employers or differentiate coverage based on sectors in the context of employment or pay equity. Instead, its applicability is determined by an entity's role as a 'data controller' or 'data processor' and its involvement in the processing of personal data concerning individuals in Sweden. This means that virtually any organization, public or private, regardless of its size or industry, that processes personal data of individuals within Sweden falls under the purview of this Act and the GDPR. This includes small businesses, large corporations, public authorities, non-profit organizations, and even individuals acting in a professional capacity, provided they are processing personal data.

Exemptions from certain provisions of the Act exist for specific types of data processing, particularly those related to national security, defense, and certain law enforcement activities, as outlined in Chapter 1, Section 3. These exemptions are narrowly defined and apply to specific public sector functions, not to general commercial or employment activities. However, these exemptions are specific to data protection contexts and do not relate to employer size or sector in the context of pay equity. The Act does not include phase-in periods for compliance based on employer characteristics, as its requirements became effective for all covered entities simultaneously with the GDPR on May 25, 2018, ensuring immediate and universal application for all processing activities.

Employee Rights

Under the Act (2018:218), employee rights are primarily framed as data subject rights, consistent with the EU General Data Protection Regulation. These rights empower individuals to have control over their personal data. Key rights include the right to information, meaning individuals have the right to be informed about the collection and use of their personal data, including the purposes of processing, the categories of data, and the recipients. They also possess the right of access (Article 15 GDPR), allowing them to obtain confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and certain information regarding the processing, such as the period for which the personal data will be stored.

Further rights include the right to rectification (Article 16 GDPR), enabling data subjects to have inaccurate personal data concerning them rectified without undue delay, and the right to erasure (also known as 'the right to be forgotten', Article 17 GDPR), allowing for the deletion of personal data under certain conditions, such as when the data is no longer necessary for the purposes for which it was collected. The Act also upholds the right to restriction of processing (Article 18 GDPR), which allows data subjects to limit the way an organization uses their data, and the right to data portability (Article 20 GDPR), enabling them to receive their personal data in a structured, commonly used and machine-readable format and to transmit that data to another controller. Additionally, employees have the right to object to processing (Article 21 GDPR) in certain situations, particularly concerning direct marketing or processing based on legitimate interests.

It is crucial to understand that these are data protection rights, not rights specifically related to pay equity or wage comparison. While an employee's salary information constitutes personal data and is therefore subject to these rights (e.g., an employee can request access to their own salary data held by the employer), the Act does not grant employees the right to request information about the salaries of colleagues for comparison purposes, nor does it establish procedures for exercising such pay equity-specific comparison rights. The mechanisms for exercising these data protection rights typically involve submitting a written request directly to the data controller (the employer in an employment context), who must respond within specified timeframes, usually one month, with the possibility of extension for complex requests. If the employer fails to comply, the employee can lodge a complaint with the Swedish Authority for Privacy Protection (IMY).

Pay Transparency Requirements

The Act (2018:218) with Supplementary Provisions to the EU General Data Protection Regulation does not contain any provisions related to pay transparency requirements. Its scope is strictly limited to the protection and processing of personal data, and it does not address issues such as salary range disclosure in job postings, the publication of pay scales, or any other mechanisms designed to promote wage transparency for the purpose of identifying and rectifying pay gaps. The focus of this legislation is on how personal data, including any data that might pertain to an individual's remuneration, is collected, stored, used, and secured, rather than on the disclosure of remuneration information to foster pay equity.

Therefore, employers in Sweden are not mandated by this specific Act to disclose salary ranges in job advertisements, provide pay scale information to employees, or publish aggregated pay data. Any such requirements would stem from other national or EU-level employment and anti-discrimination laws, such as the Swedish Discrimination Act (Diskrimineringslagen), which includes provisions on active measures to promote equal opportunities and prevent discrimination, including pay discrimination. However, these are separate legal instruments with distinct objectives and enforcement mechanisms. The Act's provisions on transparency relate to the transparent processing of personal data, meaning individuals must be informed about how their data is used, the legal basis for processing, and their rights as data subjects, but this does not extend to the transparency of pay structures or individual salaries beyond what is necessary for data subject rights (e.g., an individual's right to access their own personal data, which may include their salary).

In summary, while the Act ensures that any personal data, including salary information, is handled in a transparent and lawful manner from a data protection perspective, it does not impose obligations on employers to make pay information transparent to employees or the public for the purpose of promoting equal pay. The absence of such provisions underscores the distinct focus of this Act as a data protection instrument, separate from legislation aimed at addressing pay equity and wage discrimination. Employers seeking guidance on pay transparency obligations would need to consult other specific employment and anti-discrimination laws applicable in Sweden and at the EU level, such as the EU Pay Transparency Directive (Directive (EU) 2023/970), which Member States are required to transpose into national law.

Reporting & Audit Obligations

The reporting and audit obligations under the Act (2018:218) are entirely centered on data protection compliance, not pay equity. Data controllers are primarily obligated to report personal data breaches to the Swedish Authority for Privacy Protection (IMY) without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. This notification must include details such as the nature of the personal data breach, the categories and approximate number of data subjects and personal data records concerned, the likely consequences of the breach, and the measures taken or proposed to be taken to address it. If the breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller is also required to communicate the personal data breach to the data subject without undue delay, informing them of the nature of the breach and recommended mitigation measures. These requirements are directly derived from Articles 33 and 34 of the EU GDPR, with the Swedish Act providing supplementary details or clarifications where permitted.

Furthermore, data controllers are obligated to conduct Data Protection Impact Assessments (DPIAs) when a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons (Article 35 GDPR). This includes processing operations involving systematic and extensive evaluation of personal aspects, large-scale processing of special categories of data, or systematic monitoring of publicly accessible areas. The Act also includes provisions for prior consultation with IMY (Article 36 GDPR) in certain high-risk scenarios where a DPIA indicates that the processing would result in a high risk in the absence of measures by the controller to mitigate the risk. These obligations ensure proactive risk management and accountability in data processing activities, requiring organizations to assess and mitigate privacy risks before processing begins.

It is critical to emphasize that these reporting and audit obligations have no connection to pay gap reporting, equal pay audits, or any other form of assessment related to wage equity. The Act does not mandate employers to conduct audits of their pay structures to identify gender-based or other discriminatory pay gaps, nor does it require them to report aggregated salary data to any authority for pay equity monitoring. The audits and reports envisioned by this Act are solely for ensuring compliance with personal data protection principles and mitigating data privacy risks. Any audits related to pay equity would fall under the purview of separate employment and anti-discrimination legislation, such as the Discrimination Act, which may require employers to conduct salary surveys or analyses as part of their active measures to promote equal opportunities.

Governance & Enforcement Bodies

The primary governance and enforcement body for the Act (2018:218) and the EU General Data Protection Regulation in Sweden is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY). Formerly known as Datainspektionen (the Data Inspectorate) until January 1, 2021, IMY is an independent public authority responsible for supervising compliance with data protection legislation. Its mandate includes providing guidance and information on data protection to individuals and organizations, handling complaints from individuals regarding alleged infringements of their data protection rights, conducting inspections and audits of data controllers and processors, and issuing administrative fines and other corrective measures for violations of the GDPR and the supplementary Act. IMY operates with significant independence to ensure impartial enforcement of data protection laws.

IMY plays a proactive role in setting the agenda for data protection in Sweden, issuing guidelines, recommendations, and making landmark decisions that clarify the interpretation and enforcement of the rules. Individuals who believe their data protection rights have been violated can file a complaint with IMY, typically through an online form or written submission. IMY then has the authority to investigate the matter, gather evidence, and take appropriate action. This can range from issuing warnings and reprimands to ordering specific corrective actions, restricting data processing, or imposing significant administrative fines, depending on the severity and nature of the infringement. IMY also cooperates with other EU supervisory authorities through the European Data Protection Board (EDPB) to ensure consistent application of GDPR across the Union.

It is essential to distinguish IMY's role from that of bodies responsible for enforcing equal pay or anti-discrimination laws. IMY's mandate is exclusively focused on data protection and privacy; it does not have jurisdiction over matters of pay equity, wage discrimination, or the enforcement of equal pay principles. While IMY ensures that personal data, including salary information, is processed lawfully, fairly, and securely, it does not assess whether pay structures are equitable or non-discriminatory. Other specialized agencies or courts, such as the Equality Ombudsman (Diskrimineringsombudsmannen, DO) and the labor courts, would handle such employment law matters under the Discrimination Act. IMY's contact information and resources are readily available on its official website (www.imy.se), providing comprehensive guidance and complaint mechanisms.

Monitoring & Evaluation

Monitoring and evaluation under the Act (2018:218) are primarily carried out by the Swedish Authority for Privacy Protection (IMY) to ensure compliance with data protection regulations. IMY employs a multi-faceted approach to monitor adherence to the GDPR and the supplementary Act, including proactive inspections, reactive investigations based on complaints, and thematic audits. Proactive inspections may involve visiting organizations to assess their data processing practices, data security measures, and compliance with data subject rights. Reactive investigations are initiated when IMY receives a complaint from a data subject or a report of a data breach, leading to a detailed inquiry into the alleged infringement. Thematic audits focus on specific sectors or types of processing activities deemed high-risk or of particular public interest, allowing for a broader assessment of compliance trends.

Complaints from data subjects form a significant part of IMY's monitoring activities. When an individual files a complaint regarding the processing of their personal data, IMY investigates the alleged infringement, gathers evidence, and makes a determination. This process can lead to various corrective measures, such as ordering a data controller to rectify or erase data, restricting processing, or imposing administrative fines. The frequency of audits and inspections is not fixed but is determined by IMY based on risk assessments, public interest, strategic priorities, and available resources. IMY also monitors legislative developments and technological advancements to ensure that its guidance and enforcement strategies remain relevant and effective in a rapidly evolving digital landscape.

The evaluation criteria for compliance are strictly tied to the principles and provisions of the GDPR and the Act (2018:218), focusing on aspects such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability. IMY assesses whether data controllers have implemented appropriate technical and organizational measures to protect personal data, whether they have a valid legal basis for processing, and whether they respect data subjects' rights. These criteria do not include any assessment of pay equity, gender pay gaps, or other employment-related discrimination metrics. The monitoring and evaluation mechanisms are designed to safeguard personal data privacy, not to ensure equitable remuneration practices within organizations, which fall under the purview of other specialized regulatory bodies and laws.

Enforcement & Penalties

Enforcement of the Act (2018:218) and the underlying EU General Data Protection Regulation in Sweden is robust, with the Swedish Authority for Privacy Protection (IMY) having the power to impose significant administrative fines and other corrective measures. The penalties for non-compliance are outlined in Article 83 of the GDPR and are applied by IMY, with the supplementary Act clarifying certain national specificities regarding the application of these fines, particularly for public authorities. Fines can be substantial, reaching up to €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for the most serious infringements, such as violations of data processing principles or data subjects' rights. Less severe infringements, like violations of certification body requirements or obligations of a monitoring body, can incur fines up to €10 million or 2% of the total worldwide annual turnover.

IMY has demonstrated its willingness to issue fines, with notable cases including penalties for unlawful facial recognition technology use in schools and for insufficient security measures leading to data breaches. Beyond monetary penalties, IMY can also issue a range of other corrective powers as stipulated in Article 58 of the GDPR. These include issuing warnings and reprimands, ordering data controllers to comply with data subject requests, ordering the rectification or erasure of personal data, imposing a temporary or definitive limitation or ban on processing, and ordering the suspension of data flows to a recipient in a third country. The severity of the penalty depends on various factors, including the nature, gravity, and duration of the infringement, the intentional or negligent character of the infringement, any actions taken to mitigate damage, and the categories of personal data affected.

Individuals also have the right to lodge a complaint with IMY and to an effective judicial remedy against a legally binding decision of IMY. They also have the right to receive compensation for any material or non-material damage suffered as a result of an infringement of the GDPR, which can be pursued through civil courts. Any criminal liability or appeals processes mentioned in the Act relate to data protection offenses, such as unlawful access to personal data or breaches of secrecy, not employment law violations concerning remuneration. The appeals process for IMY's decisions typically involves appealing to the Administrative Court (Förvaltningsrätten) and potentially further to the Administrative Court of Appeal (Kammarrätten) and the Supreme Administrative Court (Högsta förvaltningsdomstolen) in Sweden.

Relationship to Other Laws

The Act (2018:218) functions as a supplementary law to the directly applicable EU General Data Protection Regulation (GDPR). This means that while the GDPR sets the overarching legal framework for data protection across the European Union, the Swedish Act provides national specificities and clarifications where the GDPR allows for Member State discretion. It ensures that the GDPR is seamlessly integrated into the Swedish legal system, addressing areas such as the processing of social security numbers (which requires specific legal authorization in Sweden) and providing specific rules for public authorities, which often have unique data processing needs and legal obligations under Swedish administrative law. This supplementary nature means the Act cannot contradict the GDPR but can elaborate on or specify its application within national contexts.

The Act also interacts with other Swedish sectoral laws that govern the processing of personal data in specific contexts. For instance, it coexists with the Camera Surveillance Act (Kamerabevakningslag (2018:1200)), which regulates the use of surveillance cameras; the Criminal Data Act (Brottsdatalag (2018:1177)), which governs the processing of personal data in criminal justice; and the Patient Data Act (Patientdatalag (2008:355)), which sets specific rules for healthcare data. In cases of conflict, these sectoral laws may supersede provisions in the Supplementary GDPR Act, particularly when they provide more specific or stringent rules for data processing within their respective domains, adhering to the principle of *lex specialis derogat legi generali* (specific law overrides general law). Furthermore, the Public Access to Information and Secrecy Act (Offentlighets- och sekretesslagen (2009:400)) also plays a crucial role in balancing data protection with the principle of public access to official documents in Sweden.

However, it is vital to understand that this Act does not directly interact with or complement Swedish employment laws or anti-discrimination legislation concerning pay equity. Laws such as the Discrimination Act (Diskrimineringslagen (2008:567)) in Sweden are the primary legal instruments for addressing issues of equal pay and non-discrimination in employment. The Act (2018:218) does not establish precedence over, nor does it conflict with, these employment-specific laws regarding remuneration. Its focus remains solely on the protection of personal data, and it does not provide a legal basis for challenging pay disparities or enforcing equal pay principles. Any legal challenges or compliance requirements related to pay equity would be governed by the Discrimination Act and related labor laws, which have their own distinct enforcement bodies and legal frameworks.

International Context

The Act (2018:218) is firmly rooted in the international context of data protection, primarily as a national implementation and supplementary measure to the EU General Data Protection Regulation (GDPR). The GDPR itself is a landmark piece of legislation that has significantly influenced data protection standards globally, setting a high bar for privacy and individual rights concerning personal data. As an EU Member State, Sweden is bound by the GDPR, and its supplementary Act ensures national alignment and addresses areas where the GDPR permits national variations or specific rules, thereby contributing to a harmonized yet adaptable data protection framework across the European Economic Area. This legislative approach reflects Sweden's commitment to upholding fundamental rights to privacy and data protection as enshrined in the EU Charter of Fundamental Rights.

While the GDPR and its supplementary acts represent a modern standard for data protection, they operate in a distinct legal sphere from international labor standards concerning equal pay. The International Labour Organization (ILO) has established key conventions such as the Equal Remuneration Convention, 1951 (No. 100), and the Discrimination (Employment and Occupation) Convention, 1958 (No. 111). These ILO conventions promote equal pay for work of equal value and non-discrimination in employment. However, the Swedish Act (2018:218) does not directly implement or relate to these ILO conventions. Its purpose is data privacy, not labor rights or pay equity. Sweden, as an ILO member state, adheres to these conventions through its national labor laws, such as the Discrimination Act, which are separate from its data protection legislation.

Globally, the trend towards stronger data protection laws, often inspired by the GDPR, is evident. Many countries have enacted or updated their data privacy legislation to protect personal data more rigorously, reflecting a growing international consensus on the importance of privacy rights. This Swedish Act is part of that broader global movement towards enhanced data privacy. However, it is crucial to reiterate that this Act's international context is solely within the realm of data protection and privacy. It does not contribute to, nor is it influenced by, global trends or international instruments specifically addressing pay equity, wage transparency, or gender pay gap reduction. These are addressed by separate legal frameworks at national and international levels, such as the recent EU Pay Transparency Directive, which will require separate transposition into Swedish law.

Implementation Timeline

Compliance Checklist

Sources and References