Personal Data Ordinance 1998:1191, 3 september 1998

Personal Data Ordinance 1998:1191, issued 3 september 1998

The Government prescribes the following.

Introductory provisions

Section 1
This Ordinance provides supplementary regulations concerning such processing of personal
data as is subject to the Personal Data Act (1998:204).

Supervisory authority

Section 2
The Data Inspection Board is the supervisory authority under the Personal Data Act
(1998:204).

Notification to the Data Inspection Board

Section 3
The duty of notification under Section 36, first paragraph, of the Personal Data Act
(1998:204) does not apply to the processing of personal data

1. that is undertaken pursuant to an authority’s obligation under Chapter 2 of the
Freedom of the Press Act to provide official documents,

2. that is undertaken by the archive authority pursuant to the provisions of the Archives
Act (1990:782) or the Archives Ordinance (1991:446),

3. that is governed by specific regulations in a statute or ordinance in other cases than
those mentioned in items 1 and 2.

Section 4
The duty of notification under Section 36, first paragraph, of the Personal Data Act
(1998:204) does not apply to processing of personal data in running text.

Section 5
The duty of notification under Section 36, first paragraph, of the Personal Data Act
(1998:204) does not apply to processing of sensitive personal data that is performed under
Section 17 of the Personal Data Act. Nor does the duty of notification apply to the
corresponding processing by such an organisation of other kinds of personal data than
sensitive personal data.

Section 6
The Data Inspection Board may issue regulations on exemptions from the duty of notification
under Section 36, first paragraph, of the Personal Data Act (1998:204) for such types of
processing as will not be likely to result in improper intrusion of personal integrity.

Section 7
The Data Inspection Board shall, by means of automated processing, maintain a register of the
processing of personal data notified to the Inspection under Section 36, first paragraph, of the
Personal Data Act (1998:204).

Exemptions from the prohibition on processing of sensitive personal data

Section 8
Over and above the specifications in Sections 15–19 of the Personal Data Act (1998:204),
sensitive personal data may be processed by a public authority in running text if the data have
been submitted in a specific case or are necessary for the handling thereof. Ordinance
(2001:582).

Processing of information concerning criminal offences, etc.

Section 9
The Data Inspection Board may as regards automated processing of personal data issue
regulations on exemptions from the prohibition in Section 21 of the Personal Data Act
(1998:204) for persons, other than authorities, to process personal data concerning legal
offences that comprise crime, judgments in criminal cases, coercive penal procedural
measures or administrative deprivation of liberty. The Data Inspection Board may also decide
in individual cases on exemptions from the prohibition. Ordinance (2001:582).

Prior checking

Section 10
The following automated processing of personal data shall, irrespective of whether they are
subject to the duty of notification under Section 36 of the Personal Data Act or not, be
notified for preliminary review to the Data Inspection Board not later than three weeks in
advance:

1. processing of sensitive personal data for research purposes without consent of the
person registered and which have not been approved by a research ethics committee in
accordance with Section 19, second paragraph of the Personal Data Act (1998:204),

2. processing of personal data concerning hereditary disposition derived from genetic
investigation.

The first paragraph does not apply to such processing of personal data as is governed by
specific regulations in a statute or ordinance. Ordinance (2001:582).

Section 11
As regards such processing as is notified to it pursuant to Section 10 of this ordinance or
special regulations on prior checking in another statute or ordinance, the Data Inspection
Board shall make a specific decision as to whether or not measures are to be taken by reason
of the notification. Ordinance (2001:751).

Transfer of personal data to third countries

Section 12
A municipality or county council may transfer to a third country personal data included in:

1. a register and as referred to in Chapter 15, Section 2 of the Secrecy Act (1980:100);

2. a notice convening a meeting of a council or a committee;

3. an announcement of a council meeting; or

4. the approved minutes of a council or committee meeting.

Personal data that can be directly connected to the registered person may not be transferred.
However, this prohibition does not apply to personal data concerning an elected representative
if the data relate to his or her commission. Neither does the prohibition apply if:

1. other personal data concerning the registered person are not of the kind referred to in
Sections 13 or 21 of the Personal Data Act (1998:204); and

2. there is no reason to assume that there is a risk of violation of the registered person's
personal integrity as a result of the transfer.
Personal identity numbers and coordination numbers may never be transferred.
The provisions in paragraphs 1-3 also apply to federations of local authorities. In such cases,
council also refers to the councils or directorates of federations of local authorities and
committee refers to such a body as is referred to in Chapter 3, Section 25, paragraph 2 of the
Local Government Act (1991:900). Ordinance (2001:582).

Section 13
Personal data may be transferred to a third country:

1. if and to the extent that the Commission of the European Communities has established
that the country has an adequate level of protection for personal data pursuant to
Article 25.6 of Directive 95/46/EC of the European Parliament and the Council of 24
October 1995 on the protection of individuals with regard to the processing of
personal data and on the free movement of such data; or

2. if the personal data are transferred pursuant to an agreement that contains such
standard contractual clauses as the Commission, in accordance with Article 26.4 of the
Directive, has decided offer sufficient safeguards with respect to the protection of the
privacy and fundamental rights and freedoms of individuals and as regards the
exercise of the corresponding rights.
The Commission decisions referred to in paragraph 1, subsection 1, are listed in appendix 1 of
this ordinance. The appendix specifies that some of the decisions apply only to transfers to the
recipients specified in the decisions.
The Commission decisions referred to in paragraph 1, subsection 2, are listed in appendix 2 of
this ordinance. Ordinance (2002:142).

Section 14
The Data Inspection Board may issue regulations on exemptions from the prohibition in
Section 33 of the Personal Data Act (1998:204) on the transfer to a third country of personal
data which are undergoing processing and on the transfer to a third country of personal data
for processing if there are sufficient safeguards with respect to the protection of the registered
person's rights. Under the same conditions and in individual cases, the Data Inspection Board
may also make a decision on exemptions from the prohibition. Ordinance (2001:582).

Sector agreements

Section 15
The Data Inspection Board shall at the request of an organisation that represents a substantial
part of the controllers of personal data within a particular line of business or within a
particular sector issue an opinion on proposals for agreements as regards processing of
personal data within the line of business or sector (sector agreement).
An opinion under the first paragraph shall relate to the compatibility of the sector agreement
with the Personal Data Act (1998:204) and other statutes or ordinances governing the
processing of personal data in question.
The Inspection shall, before it issues its opinion, if appropriate ensure that organizations that
represent the persons registered have been given an opportunity to express their views on the
proposals for a branch agreement. Ordinance (2001:582).

Authorization

Section 16
The Data Inspection Board may on matters concerning automated processing of personal data
issue further regulations on

1. the cases in which processing of personal data is permitted,

2. the requirements which are imposed on the controller of personal data,

3. the cases in which the use of personal identity numbers is permitted,

4. what a notification or application to a controller of personal data should contain,

5. which information should be provided to the registered persons and how the
information should be provided,

6. notification to the Inspection and the procedure when notified information has been
altered. Ordinance (2001:582).

Support to persons who are registered abroad

Section 17
A person who is resident in Sweden and who is or may be assumed to be registered in a
register subject to the Council of Europe Convention for the Protection of Individuals with
regard to Automatic Processing of Personal Data in a country that has acceded to the
Convention, may submit to the Data Inspection Board a request for support of the kind
referred to in Article 14, Item 2 of the Convention. The Data Inspection Board shall pass on
the request for protection by natural persons in automatic data processing of personal data to
the other country.
The request should contain information about

1. name, address and other details necessary to identify the person who makes the
request,

2. the register to which the request relates or the person who is responsible for the
register,

3. the purpose of the request. Ordinance (2001:582).

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.