When you wish to process personal data in your activities you must comply with the General Data Protection Regulation. This means among other things that you need to base the processing on one of the lawful grounds that we describe in more detail here. Without lawful grounds it is illegal to process personal data.
There are six lawful grounds, which are summarised below. At the bottom of the page are links to each of them.
Consent: The data subject has consented to the personal data processing. N.B. In many cases it is not appropriate or even possible to base processing on the data subject's consent. You should therefore always first consider whether you can base the personal data processing on one of the other lawful grounds.
Contract: The data subject has a contract or is to enter into a contract with the data controller.
Weighing of interests: The data controller may process personal data without the data subject's consent if the data controller's interests outweigh those of the data subject and if the processing is necessary for the purpose in question.
Legal obligation: There are laws and rules that oblige the data controller to process certain personal data in its activities.
Exercise of official authority or task in the public interest: The data controller must process personal data in order to carry out its duties as an authority or to carry out a task in the public interest.
Fundamental interest: The data controller must process personal data in order to protect a data subject who cannot give their consent, for example if they are unconscious.
Private and public organisations can base their processing of personal data on different lawful grounds
Private companies, associations and organisations
Companies, associations and organisations in the private sector will mainly use the following lawful grounds
- legal obligation
- weighing of interests.
Authorities and others in the public sector will mainly use the following lawful grounds
- legal obligation
- task in the public interest or exercise of official authority
Private companies may sometimes operate in the public sector, for example when schools or health services are run privately. In other respects, the lawful basis for the processing is task in public interest.
N.B. Authorities may not use weighing of interests when they carry out their tasks.
Document your choices and inform the data subjects
Document you reasoning when you choose legal grounds. You must always inform your data subjects of the lawful grounds upon which you base the processing of their personal data.
Identify the lawful grounds before the processing begins
Since the data subjects have the right to be informed of the legal grounds for the processing of their personal data, the data controller must have clearly defined this even before the personal data is collected.
Each purpose must be linked to one of the lawful grounds
As a rule, each instance of personal data processing needs to be based on only one of the lawful grounds. Therefore make clear why you intend to process personal data and choose only one of the lawful grounds for a specific purpose.
You cannot change lawful grounds while the personal data is being processed.
Some examples: You may not begin to use weighing of interests because a problem has arisen with the validity of a consent.
What is meant by processing being "necessary"?
The General Data Protection Regulation states that the processing of personal data shall be "necessary" in the case of several of lawful grounds, for example in order for you to be able to perform a contract or carry out a task in the public interest. However, the word "necessary" does not have the same meaning here as in everyday language.
The processing leads to efficiency gains
Even if a contract could be performed or a task could be carried out without personal data being processed in a certain way, the processing can be considered to be necessary and thus permitted if it leads to efficiency gains.
But if a task can be carried out almost as simply and cheaply without personal data being processed, it is not necessary to process the personal data in that sense. It might do almost just as well to use anonymous data.
Some examples: Authorities and companies could in theory operate their activities and carry out their tasks manually, without using personal data automatically. However, this is not a realistic alternative. Using technical aids, and thereby processing personal data automatically, is today considered to be more or less necessary.
Always comply with the entire General Data Protection Regulation
In addition to the lawful grounds requirement you must also comply with the other provisions of the General Data Protection Regulation. Remember that the possibility to process personal data is limited by the fundamental principles and other additional requirements concerning certain types of personal data, for example sensitive personal data and data relating to criminal convictions and offences.
Special rules for sensitive personal data
Certain personal data is considered to be so sensitive that it is as a general rule prohibited to process it. Where such data is concerned, it is not sufficient to have one of the above grounds but there are also special rules.
If the information in other languages are different from the Swedish version, it is the Swedish version that applies.