Legislacion Informatica de Suecia. DIFS 2001:1. Regulation amending Data Inspection Board Regulation (DIFS 1998:2) with regard to the obligation to notify the processing of personal data to the Data Inspection Board adopted on 3 October 2001.

DIFS 2001:1. Regulation amending Data Inspection Board Regulation (DIFS 1998:2) with regard to the obligation to notify the processing of personal data to the Data Inspection Board adopted on 3 October 2001.

The Data Inspection Board provides, pursuant to sections 6 and 16 of the Personal Data Ordinance (1998:1191), that sections 1, 5, 7 and 8 of Data Inspection Board Regulation (DIFS 1998:2) shall read as follows with regard to the obligation to notify the processing of personal data to the Data Inspection Board.

That Regulation will therefore read as follows with effect from the date of entry into force of the present Regulation.

 

Compulsory notification of particularly privacy-sensitive processing of personal data

Section 1.- (1) Particularly privacy-sensitive processing of personal data which under section 41 of the Personal Data Act (1998:204) must always be notified to the Data Inspection Board for a prior check is specified in section 10 of the Personal Data Ordinance (1998:1191).

Provisions relating to notification for prior checks are also contained in section 2 of the Police Data Ordinance (1999:81), section 2 of the Processing of Personal Data in Connection with Tax Authorities’ Involvement in Criminal Investigations Ordinance (1999:105) and section 2 of the Processing of Personal Data in the Law Enforcement Activities of the Swedish Customs Ordinance (2001:88). (DIFS 2001:1).

 

Notification of other processing operations

Notification requirement

Section 2.- Data controllers that have not appointed and notified the name of a personal data representative are required under section 36 (1) of the Personal Data Act (1998:204) to notify the Data Inspection Board of any fully or partially automated processing of personal data.
Exemptions from the notification requirement

Section 3.- Provisions relating to exemptions from the notification requirement laid down in section 36 (1) of the Personal Data Act (1998:204) are contained in sections 3, 4 and 5 of the Personal Data Ordinance (1998:1191). The Data Inspection Board may, pursuant to section 6 of the Personal Data Ordinance, grant exemptions from the notification requirement in other cases. Such exemptions are laid down in sections 4 and 5 of this Regulation.

Section 4.- The notification requirement laid down in section 36 (1) of the Personal Data Act (1998:204) shall not apply to the processing of personal data to which data subjects have consented.

Section 5.- (2) The notification requirement laid down in section 36 (1) of the Personal Data Act (1998:204) shall not apply to processing of the following personal data where the data controller keeps a record of processing operations involving data that would otherwise have been subject to notification:

(a) personal data relating to data subjects who are associated with the data controller by reason of membership, employment, a customer relationship or similar relationship, provided that the processing does not relate to sensitive data within the meaning of section 13 of the Personal Data Act;

(b) sickness data kept by employers that relate to workers’ sick leave periods, provided that the data are used for salary administration purposes or to determine whether the employer is required to undertake a rehabilitation investigation;

(c) personal data kept by employers that reveal workers’ trade union membership, provided that the data are used to enable employers to fulfil obligations or exercise rights under labour law or to make it possible to determine, enforce or defend legal claims;

(d) personal data collected from data subjects where processing is essential for compliance with the provisions of laws or regulations;

(e) personal data the processing of which is permitted in the health sector under section 18 of the Personal Data Act;

(f) personal data used in the activities of lawyers that are relevant to the provision of their services and to measures to avoid conflicts of interest; and

(g) personal data processed under sector-wide agreements reviewed by the Data Inspection Board pursuant to section 15 of the Personal Data Ordinance (1998:1191). (DIFS 2001:1).

 

Content of notifications

Notifications pursuant to section 36 (1) of the Personal Data Act (1998:204)

Section 6. – Notifications of processing operations involving personal data pursuant to section 36 (1) of the Personal Data Act (1998:204) shall be made in writing and signed by the data controller or its authorized representative.

Notifications shall contain:

(a) the name, address, telephone number and registration number of the data controller;

(b) the purpose or purposes of the processing operation;

(c) a description of the category or categories of data subjects affected by the data processing;

(d) a description of the category or categories of data concerning the data subjects that are to be processed;

(e) details of the recipients or categories of recipients to whom the data may be disclosed;

(f) information concerning data transfer to third countries;

(g) a general description of the measures that have been taken to safeguard the security of processing operations.

Any change in the above circumstances shall be notified in the same way.

Notifications for the purposes of prior checks of particularly privacy-sensitive processing operations

Section 7.- (3) Notifications for the purposes of prior checks by the Data Inspection Board shall be made in writing and signed by the data controller or its authorized representative. Notifications shall contain the information specified in section 6 and the reasons why it is necessary for the Data Inspection Board to carry out a prior check. Notifications shall also include details of the scheduled date for commencement of the processing operation and a contact person who can supply information.

Notifications for the purposes of prior checks pursuant to section 10 of the Personal Data Ordinance (1998:1191) shall also contain:

(a) details whether the processing has been checked by a research ethics committee and if so, a copy of the committee’s decision;

(b) information, where appropriate, that the data subject has consented and

(c) a description of the information to be given to the data subject.

Any change in the above circumstances shall be notified in the same way. (DIFS 2001:1)

 

Notification of personal data representatives

Section 8.- Notifications pursuant to section 36 (2) of the Personal Data Act (1998:204) of the appointment or discharge of a personal data representative shall include the names of the data controller and the personal data representative. Notifications shall be made in writing and signed by the data controller or its authorized representative. (DIFS 2001:1).

 

Form

Section 9.- Notifications referred to in sections 6, 7 and 8 may be made on special forms that are available from the Data Inspection Board.

 

ULF WIDEBÄCK

Leif Lindgren

————————————————————————————————

This statute (4) shall enter into force on 24 October 1998.

This statute (5) shall enter into force on 1 February 2000.

This statute (6) shall enter into force on 1 November 2001.
————————————————————————————————

(1) DIFS 1999:3.

(2) DIFS 1999:3.

(3) DIFS 1999:3.

(4) DIFS 1998:2.

(5) DIFS 1999:3.

(6) DIFS 2001:1.

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.