One of the purposes of the General Data Protection Regulation (GDPR) is to protect individuals' fundamental rights and freedoms, particularly their right to protection of their personal data. The right to one's private life is laid down in the European Convention on Human Rights (ECHR). Article 8 provides for a right to respect for one's private and family life, one's home and one's correspondence. The convention has been established as a law in Sweden. The right to respect for one's private and family life is also laid down in Article 7 of the EU Treaty on Fundamental Rights. It also contains special provisions concerning protection of personal data (Article 8). The treaty is legally binding for all EU member states. On a Swedish level, Chapter 2 Section 6 Sub-section 2of the Instrument of Government contains a constitutional right to protection of personal privacy when personal data is processed.
These constitutional provisions concerning the right to one's private life and protection of personal data form the foundation of more detailed legislation on processing of personal data such as under the new General Data Protection Regulation (GDPR).
A further purpose of the General Data Protection Regulation is to create a uniform and harmonised level for the protection of personal data within the EU so that the free movement of personal data within the Union is not hindered. This is achieved through the regulation being directly applicable in the various member states and through the same rules applying throughout the Union. Other purposes of the General Data Protection Regulation include to modernise the rules laid down in the Data Protection Directive from 1995 and to bring them into line with the modern digital society.
The General Data Protection Regulation applies in principle to all automated personal data processing and in some cases also manual processing of personal data. Personal data is any information that refers to an identified or identifiable natural person.
The General Data Protection Regulation applies to personal data processing linked to the EU, either when the entity processing the personal data is established within the EU or when an entity outside the EU offers goods and services to people within the Union or monitors their behaviour here.
The General Data Protection Regulation applies in principle to every kind of operation and activity and regardless of who carries out the processing of the personal data. It thus applies to companies, associations, organisations, authorities and private individuals. There are some exemptions, for example private individuals' processing of personal data. Nor does it apply when someone processes personal data in conjunction with the exercise of their right to freedom of expression or freedom of information.
More information about when the General Data Protection Regulation applies can be found below.
Personal data and personal data processing
The General Data Protection Regulation applies to the processing of personal data. Personal data is any information that refers to an identified or identifiable natural person. What is crucial is that the information on its own or in combination with other information can be linked to a living person. Typical personal data is a person's personal identity number, name and address. Images and sound recordings of individuals that are processed by computer can constitute personal data even if no names are mentioned. Encrypted data and various kinds of electronic identities, for example IP addresses and cookies are considered personal data if they can be linked to natural persons. Information that has been encoded, encrypted or pseudonymised but that can be related to a natural person by means of complementary data also constitutes personal data.
All types of action with personal data constitute personal data processing, for example collecting, registration, organisation, structuring, storage, manipulation, alteration, retrieval, reading, use, disclosure, dissemination or provision in other ways, adjustment or combination, limitation, erasure or destruction.
The General Data Protection Regulation applies to fully or partly automated processing of personal data. It also applies in the case of manual processing of personal data if the personal data is part of or is intended to be part of a manual register that is searchable using special criteria.
Personal data processing covered by the regulation
The General Data Protection Regulation applies to processing of personal data that has some connection to the EU. It thus applies when the data controller or the data processor has a facility within the EU and processes personal data in conjunction with the operations and activities carried on there. Where the actual processing takes place is of no importance. The General Data Protection Regulation also applies to personal data processing that takes place when organisations that are not established within the EU offer goods and services to people resident within the Union or when such organisations monitor people's behaviour here. The last mentioned refers for example to tracking individuals' behaviour on the Internet to create customer profiles or similar.
Exemptions concerning processing of personal data
Natural persons' processing of personal data that is carried out as part of an activity of a purely private nature or that has a connection with his or her household is not subject to the rules stipulated in the regulation. This is thus a matter of processing that is entirely private and without any connection to professional or business activities.
Exemptions in the case of freedom of information and freedom of expression
The General Data Protection Regulation does not apply when someone processes personal data in conjunction with the exercise of their right to freedom of expression or freedom of information. Under the regulation, exemptions for freedom of information and freedom of expression are to be made in national law. In Sweden this means among other things that such personal data processing that is covered by the constitutional protection afforded by the Freedom of the Press Act and the Fundamental Law on Freedom of Expression is exempted if application of the regulation would conflict with the constitutional laws. Processing of personal data that is carried out for journalistic purposes or for academic, artistic or literary creation is also to be exempted from most of the provisions of the General Data Protection Regulation. Such exemptions can today be found in the Personal Data Act and will in future be written into the new legislation that will complement the regulation at national level.
The General Data Protection Regulation does not prevent authorities and other bodies from disclosing official documents under the principle of public access to official records. The obligation to disclose official documents does not however include electronic disclosure and the General Data Protection Regulation therefore applies to such disclosure via, for example, e-mail or the Internet.
Other exemptions from the General Data Protection Regulation
The personal data processing that is necessary for the authorities' law enforcement activities is defined in a special directive from the EU and in national law. The General Data Protection Regulation is therefore not applicable to processing of personal data that is carried out with the purpose of preventing, averting, investigating, detecting or prosecuting crimes or executing sentences. This includes protecting against and preventing threats to public security.
Nor does the General Data Protection Regulation apply to processing of the personal data that is carried out as part of activities that are not covered by Union law, for example activities relating to national security. Such personal data processing is instead governed by national regulations.
Special rules concerning personal data processing also apply to the EU's institutions, bodies and bureaus.
If the information in other languages are different from the Swedish version, it is the Swedish version that applies.