Sweden - Data Breach Guide

Sweden

1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?

Reference is made to the chapter on the European Union.

However, providers of publicly available electronic communications services shall, within 24 hours, inform the Swedish Post and Telecom Authority of privacy incidents. If the incident is likely to be detrimental to the data subjects, and if the supervisory authority requests so, the data subjects must also be informed without undue delay.

Furthermore, operators of essential services and providers of information society services covered by the Directive (EU) 2016/1148 of the European parliament and of the council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, shall notify the Swedish Civil Contingencies Agency of incidents having a significant impact on the continuity of the services that the operator provides. Notification shall be made at three different stages - within 6 hours, 24 hours and 4 weeks from the detection of the incident.

The below information in sections 2-7 only concerns personal data breaches.

1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?

Reference is made to the chapter on the European Union.

1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?

Personal data breach notifications to the Swedish Data Protection Authority are made by filling out a standard form available online and sending it by regular mail. Time period to notify the DPA is 72 hours and the DPA will take into account the mail time.

For the other requirements, reference is made to the chapter on the European Union.

1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?

Reference is made to the chapter on the European Union.

1.5 Even if there is no current legal obligation to do so, or if there is no “data controller” or “data processor” located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?

Reference is made to the chapter on the European Union.

1.6 What are the applicable (data protection) laws or guidelines within your country?

The key Swedish legislation complementing the EU General Data Protection Regulation is the Swedish Act on complementary provisions to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (2018:218).

1.7 Contact information for the local Data Protection Authority:

1.7.1 Data Protection Authority:

1.7.2 Swedish Post and Telecom Authority:

1.7.3 Swedish Civil Contingencies Agency:

For more information, contact: