The Criminal Data Act applies to personal data processing within law enforcement activities at such authorities as the Swedish Police Authority, the Swedish National Economic Crimes Bureau, the Swedish Customs, the Swedish Tax Agency, the Swedish Coast Guard and the Swedish Prosecution Authority. The term law enforcement activities refers to all work carried out with the purpose of preventing, investigating, detecting or prosecuting crimes.
The Criminal Data Act also applies to activities carried out to execute sentences. Such activities are carried on by for example
- The Prison and Probation Service in the case of prison sentences
- The Swedish Enforcement Authority in the case of fines
- The municipalities' social welfare boards where young people are sentences to care within social services
- Hospitals, if someone is sentenced to compulsory psychiatric care
The Criminal Data Act also applies to the Swedish Police Authority and the Swedish Coast Guard in their work to maintain public order and security.
The Swedish Security Service is a law enforcement authority but will not be subject to the Criminal Data Act but will have special legislation of its own.
The Criminal Data Act applies only within law enforcement
Many law enforcement authorities also have other tasks, for example border control or customs control, that do not involve law enforcement directly. The Criminal Data Act will not apply to such activities but the entire General Data Protection Regulation will apply instead.
The Criminal Data Act and the General Data Protection Regulation are based on common principles
Both the General Data Protection Regulation and the Criminal Data Act are based on common principles, for example that only processing of data that is necessary for special, explicitly stated and justified purposes is permitted. Nor may more personal data be stored than is needed for one's activities.
Just like everyone else who wishes to process personal data, law enforcement authorities must also have lawful grounds. There must thus exist a law or regulation or a special decision by the government that establishes that the authority is to work with law enforcement.
The authorities are also to appoint data protection officers, consult the Swedish Data Protection Authority on how they collect and use personal data, and report certain personal data breaches to the Swedish Data Protection Authority. And just like everyone else, law enforcement authorities can be fined if the regulations are not complied with.
What data can law enforcement authorities process?
The Criminal Data Act states that the authorities may only process the personal data that is needed for them to be able to carry out their tasks within law enforcement, to execute a sentence or to maintain public order and security. The authorities must also make a clear distinction between data subjects who are suspects or have been convicted of crimes and those who are data subjects for other reasons, for example because they are witnesses or relatives.
- The authorities must also
- check that the personal data is accurate and up to date
- rectify any inaccuracies
- erase the data when it is no longer needed
- ensure that only authorised persons have access to the personal data
- ensure that the personal data is handled in a secure manner from an IT security perspective.
If the information in other languages are different from the Swedish version, it is the Swedish version that applies.