Credit reference agencies collect information about individuals' financial and personal circumstances and companies' financial circumstances. Everyone over the age of 15 is registered at the major credit reference agencies.
The primary purpose of the Credit Information Act is to protect data subjects' personal privacy but the law is also to contribute to efficient provision of credit information. Information relating to private individuals may only be disclosed if there is a legitimate need, for example in the case of credit rating, and the person concerned is to receive a copy of the information for them to be able to check that the information is accurate.
Anyone who operates a credit information business must normally have permission from the Swedish Data Protection Authority. We check that the business is run in a proper fashion. A company that neglects its duties may be liable for damages and the person responsible can be sentenced to fines or imprisonment. You can see who has a licence to operate credit reference activities under Current licence-holders.
From and including 25 May 2018 the General Data Protection Regulation (GDPR) is to be applied regarding processing of personal data and will thus supersede the Personal Data Act (PuL). Additional Swedish legislation will be introduced in a number of areas, including credit information activities. The government has submitted a proposal that is intended to adapt the Credit Information Act to the General Data Protection Regulation as regards what requirements are to be set concerning processing of personal data and what information is to be provided to the data subject.
The proposal does not differ in any significant way from what applies today. Just as today credit reference agencies must have lawful grounds for processing personal data without the data subject's consent in their credit reference activities. The personal data may as previously not be retained for longer than is necessary for the purposes for which it is processed. Personal data relating to natural persons' defaulting on payments is also in future to be erased after three years. A natural person's right to be given access to information relating to him or her will in future be governed by the General Data Protection Regulation.
A licence from the Swedish Data Protection Authority is normally required to operate credit reference activities. On this page you will find all the holders of a licence to operate credit reference activities issued by the Swedish Data Protection Authority. The list is updated continuously:
The information is presented alphabetically in the following order:
1. The company's name
2. Corporate identity number (not stated for a sole proprietorship)
4. Reference number
If the information in other languages are different from the Swedish version, it is the Swedish version that applies.