What is GDPR?
In April 2016 the EU decided on new regulations for the processing of personal data which are to be applied in the member states as from May 2018. The regulation starts to apply immediately, and is called Dataskyddsförordningen or GDPR (General Data Protection Regulation) .
The Regulation will be directly applicable in all the EU’s member states and will replace national rules. This means that the Swedish Personal Data Act (PuL, 1998:204) and the Personal Data Ordinance (1998:1191) will cease to apply.
The aim of the GDPR
To summarise, the aim of the GDPR is to:
- Reinforce protection for the individual’s or the data subject’s fundamental rights and freedoms, especially their right to protection of personal data.
- Enable the free movement of personal data within the EU.
- Promote the internal market for digital services by a harmonised regulation.
- Modernise the Data Protection Directive’s rules from 1995 and to adapt these to the new digital society
GDPR imposes stricter requirements than the Personal Data Act
The General Data Protection Regulation contains some important innovations:
- All organisations (and businesses) are obliged to maintain a record which describes the manner in which personal data is processing. Who, internally, is responsible for such a register or IT system, what it is used for, what kind of persons appear in it, what types of data and on which legal grounds the data is processed? (personal data processing register)
- Before planning a new personal data process which involves particular risks for those registered, one should make an assessment of the consequences that the processing can cause and which measures need to be taken in order to reduce the risks (data protection impact assessment).
- There must also be a legal basis in order to process personal data. Personal data may only be gathered for specific, expressly stated and justified purposes and may not be subsequently processed in a manner which is incompatible with these purposes (Legal basis and more clearly described data processing)
- The data subject’s rights will then be greater, for example, of being forgotten, sorted out, deleted as well as from the possibility of data portability (the rights of the data subject)
- If a personal data breach should occur, such as hacking or an unintentional loss of data, the supervisory authority (Datainspektionen) must be notified within 72 hours. One may also need to inform the data subject (notification of personal data breach)
- Certain organisations as well as authorities, those who process sensitive data or data which involves a charting of individuals’ behaviour, must appoint a person within the organisation who has the specific task of dealing with data protection matters, a data protection officer (DPO).
- Datainspektionen may impose an administrative fine on whoever is in breach of the Regulation rules. The fine should be assessed on the basis of how serious the breach is, whether it has occurred intentionally or not, which measures have been taken in order to diminish the damage, whether one has profited from the breach financially and other aggravating or extenuating circumstances (administrative fines).
What is personal data?
Personal data is all kinds of information which can be related to a physical living person. Typical personal data is a personal ID number, name and address. Photographs on persons are also classed as personal data. Yes, even sound recordings which are stored electronically can constitute personal data even if no name is mentioned in the recording. A corporate identification number is often not personal data but is so if it relates to a business . A car’s registration number can constitute personal data if it is possible to relate it to a physical person. Encrypted or coded data also constitutes personal data if anyone possesses a key which can connect them to a person.
When and to whom does GDPR apply?
The General Data Protection Regulation applies to all who process personal data, both when one determines the processing oneself as the person responsible for personal data or when one carries out the task on behalf of another as a processor.
When does GDPR not apply?
The General Data Protection Regulation does not apply to processing which is of a purely private nature, carried out by an EU body or occurs as part of certain identified activities.
The transfer of personal data outside the EU and EEA
For the transfer of personal data to countries outside the EU and EEA (so-called third country transfer) special rules apply. The transfer of personal data to a third country may, according to the General Data Protection Regulation, occur in the following conditions are met and on condition that other rules in the Ordinance are observed.
- Transfer may be made to countries which have an adequate level of protection. The EU Commission decides which countries are approved (protection of freedoms and rights, rule of law, etc.)
- Special permission by the Datainspektionen has been given
- Binding corporate rules can compensate deficiencies in national legal systems
- Intergovernmental agreements
- Binding corporate rules
- Standard agreement clauses
- Certifications or codes of practice
- Special exceptions, e.g. consent, fulfilment of agreement, in the data subjects interests, the public interest
This applies to both transfer to and access to data from a third country
Some central roles in GDPR
Controller, the person who decides on the purpose of the personal data processing, irrespective of whether anyone else carries out the actual processing. The controller is virtually always a business, an organisation or an authority.
Processor the person who carries out the personal data processing on behalf of the controller. In GDPR the processor has a direct liability and direct responsibilities. This means, for example, that agreement relations should be updated and that assistants must themselves observe a large proportion of the requirements in GDPR.
The Data Protection Officer (DPO) is a physical person who represents the liable instance in matters which relate to GDPR. Requirements governing the appointment of representatives for authorities.
Datainspektionen may impose a penalty on whoever is in breach of the Ordinance’s rules. Penalties for authorities are suggested at the levels of:
- SEK 10 million for procedural faults.
- SEK 20 million for violations of rules for protection.