Data Protection in Sweden

Enforcement in Sweden

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

Fines are split into two broad categories.

The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher, apply to infringement of:

  • the basic principles for processing including conditions for consent;
  • data subjects’ rights;
  • international transfer restrictions;
  • any obligations imposed by Member State law for special cases such as processing employee data; and
  • certain orders of a supervisory authority.

The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide turnover of the preceding year, whichever is the higher, apply to infringement of:

  • obligations of controllers and processors, including security and data breach notification obligations;
  • obligations of certification bodies; and
  • obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

  • any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
  • data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77). 

All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).


Sweden regulation

Fines

Under the Data Protection Act, infringements of Article 10 of the GDPR may render administrative fines. As regards the amount of such fines, the higher of the two levels for legal maximum fines prescribed in the GDPR applies (Article 83(5) of the GDPR). As such, fines may be up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher.

In relation to public authorities, violations of the GDPR may render administrative fines under the Data Protection Act. Fines imposed on public authorities adhere to the system of the two levels of fines depending on the violated Article set out in the GDPR, may amount to maximum SEK 5 000 000 (in relation to the lower level of fines, set out in Article 83(4) of the GDPR) and SEK 10 000 000 (in relation to violations set out in Articles 83(5) and 83(6) of the GDPR).

Moreover, the Data Protection Act regulates procedural matters relating to decisions on administrative fines and how to appeal such decisions made by authorities (for example, the right to appeal to the Swedish Administrative Court).

Right to damages

The right for data subjects to claim damages from a controller or processor under Article 82 of the GDPR also applies to violations of provisions in the Data Protection Act and other Swedish regulations that supplement the GDPR.

Continue reading

  • no results

Previous topic
Back to top