Data Protection Enforcement in Sweden

Administrative Remedies

The Data Protection Authority has the power to carry out inspections (including gaining access to i) the personal data being processed, ii) property in which personal data is stored and iii) any documents relating to the processing and safeguarding of personal data) as well as to investigate complaints and cases, and to order the suspension of, inter alia, processing and/or transfer of data, as well as the destruction of data and other similar actions; these orders can be appealed to the Swedish county administrative court. Some of the Data Protection Authority’s decisions in this respect are sanctioned with fines (up to SEK 1 000 000) (approximately USD 116 000), should the data controller not comply with the decisions or not provide the Data Protection Authority with the relevant information referred to above.

Civil Remedies

Individuals can file complaints with the Authority, and can seek a judicial remedy (damages) in Swedish courts for violations of the law.

Criminal Remedies

A person may be fined (unspecified value) or, in very severe cases, be imprisoned between 6 months and 2 years depending on the violation. Criminal liability falls on the person responsible at the data controller who is guilty of committing the breach, normally the board of directors. The size of the fine is not fixed and depends on, inter alia, how serious the violations are and the size of the income of the persons subject to the fine in question. According to the Criminal Code, the fine will normally not be lower than SEK 200 (approximately USD 23) and not higher than SEK 150 000 (approximately USD 17,500).

Other Remedies

The right for the data subjects to request correction and deletion of unlawfully processed personal data.