Skip to content

Personal data within law enforcement

Personal data within law enforcement is governed by special laws.

The General Data Protection Regulation does not apply in all sectors of society. Some authorities are tasked with enforcing the law and a special law will be introduced that covers their processing of personal data, the Criminal Data Act. 

The Criminal Data Act applies to personal data processing within law enforcement activities at such authorities as the Swedish Police Authority, the Swedish National Economic Crimes Bureau, the Swedish Customs, the Swedish Tax Agency, the Swedish Coast Guard and the Swedish Prosecution Authority. The term law enforcement activities refers to all work carried out with the purpose of preventing, investigating, detecting or prosecuting crimes.

The Criminal Data Act also applies to activities carried out to execute sentences. Such activities are carried on by for example

  • The Prison and Probation Service in the case of prison sentences
  • The Swedish Enforcement Authority in the case of fines
  • The municipalities' social welfare boards where young people are sentences to care within social services
  • Hospitals, if someone is sentenced to compulsory psychiatric care

The Criminal Data Act also applies to the Swedish Police Authority and the Swedish Coast Guard in their work to maintain public order and security.

The Swedish Security Service is a law enforcement authority but will not be subject to the Criminal Data Act but will have special legislation of its own.

The Criminal Data Act applies only within law enforcement

Many law enforcement authorities also have other tasks, for example border control or customs control, that do not involve law enforcement directly. The Criminal Data Act will not apply to such activities but the entire General Data Protection Regulation will apply instead.

The Criminal Data Act and the General Data Protection Regulation are based on common principles

Both the General Data Protection Regulation and the Criminal Data Act are based on common principles, for example that only processing of data that is necessary for special, explicitly stated and justified purposes is permitted. Nor may more personal data be stored than is needed for one's activities.

Just like everyone else who wishes to process personal data, law enforcement authorities must also have lawful grounds. There must thus exist a law or regulation or a special decision by the government that establishes that the authority is to work with law enforcement.

The authorities are also to appoint data protection officers, consult Swedish Authority for Privacy Protection on how they collect and use personal data, and report certain personal data breaches to Swedish Authority for Privacy Protection. And just like everyone else, law enforcement authorities can be fined if the regulations are not complied with.

Personal data breaches (In Swedish)

What data can law enforcement authorities process?

The Criminal Data Act states that the authorities may only process the personal data that is needed for them to be able to carry out their tasks within law enforcement, to execute a sentence or to maintain public order and security. The authorities must also make a clear distinction between data subjects who are suspects or have been convicted of crimes and those who are data subjects for other reasons, for example because they are witnesses or relatives.

The authorities must also

  • check that the personal data is accurate and up to date
  • rectify any inaccuracies
  • erase the data when it is no longer needed
  • ensure that only authorised persons have access to the personal data
  • ensure that the personal data is handled in a secure manner from an IT security perspective.

Swedish Authority for Privacy Protection supervise

Swedish Authority for Privacy Protection will supervise processing of personal data at law enforcement authorities in the same way as we supervise such processing by other organisations. We will also work to ensure that the exchange of information between law enforcement authorities functions, administer complaints from the data subjects, carry out checks of whether the processing is lawful and decide on fines if the authorities break the law.

About the information on this page

If the information in English is different from the Swedish version of this page, the Swedish version applies.


Swedish version of this text

Latest update: 12 June 2023
Page labels Data protection