The data subject’s rights
The data subject has the right to be given information when his or her personal data is processed. Information about the personal data processing is to be given by the controller both when the data is collected and when the data subject otherwise so requests. There are also certain other occasions when particular information is to be provided to the data subject, for example if the controller suffers a data intrusion or similar (a personal data breach) and there is a risk of, for example, identity theft or fraud.
The information shall be provided to the data subject free of charge in easily accessible, written form (which may be in electronic form) and be worded in clear, simple language. The General Data Protection Regulation states in detail what information is to be provided. Information is among other things to be provided of the controller's contact details, the lawful basis for the processing and the purpose of the processing.
Right to rectification
Any person has the right to contact a company or authority that processes personal data and request that inaccurate information be rectified. This also means that the individual has the right to add such personal data that is missing and that is relevant taking into account the purpose of the personal data processing. That the entity processing the personal data must itself also ensure that the data is accurate and up to date is also stated in the General Data Protection Regulation's fundamental principles.
If data is rectified at the individual's request, the company or authority must also inform those to whom they have provided data that data has been rectified. This does not however apply if it should prove to be impossible or would involve excessive effort. The individual also has the right to request to be given information about to whom data has been provided.
Right to erasure
Any person has the right to contact a company or authority that processes personal data and request that the data relating to him or her be erased. The data is to be erased in the following cases:
- If the data is no longer needed for the purposes for which it was collected
- If the processing is based on the individual's consent and he or she withdraws it
- If the processing is carried out for direct marketing and the individual objects to the data being processed
- If the individual objects to personal data processing in the context of exercise of official authority or after a weighing of interests and there are no legitimate reasons that override the individual's interests
- If the personal data has been processed unlawfully
- If erasure is required in order to fulfil a legal obligation
- If the personal data relates to a child and was collected in conjunction with the child creating a profile in a social network
- If data is erased at the individual's request, the company or authority must also inform those to whom they have provided data of the erasure. This does not however apply if it should prove to be impossible or would involve excessive effort. The individual also has the right to request to be given information about to whom data has been provided.
When the personal data has been published or otherwise been made public (on a social network, an Internet forum, or on a web page) it is not always sufficient that it is erased there. In such situations the entity that published the data must also take appropriate action to inform others that process the data of the individual's request so that copies of or links to the data are also removed.
There are exceptions to the right to erasure and the obligation to inform others if it is necessary in order to satisfy other important rights such as the right to freedom of expression and freedom of information, fulfil a legal obligation, carry out a task in the public interest or as part of the exercise of official authority.
Right to limitation of processing
In certain cases, individuals have the right to demand that the processing of their personal data be limited. By "limited" is meant that the data is flagged so that it in future may only be processed for certain limited purposes.
The right to limitation applies among other things when the data subject considers that the data is inaccurate and has requested rectification. The data subject can in such cases also request that the processing of their personal data be limited while the accuracy of the data is investigated.
When the limitation ceases to apply, the data subject is to be informed of this.
Anyone who has submitted their personal data has in certain cases the right to be given and to use their personal data elsewhere, for example on another social media service (right to data portability). The entity that received the personal data is obliged to facilitate such a transfer of personal data. This is provided that the entity processes the personal data based on the data subject's consent or to perform a contract with the data subject and it applies only to such personal data that the data subject has provided him- or herself. The right to data portability is new and is introduced in the General Data Protection Regulation.
Right to object
An individual has in certain cases the right to object to his or her personal data being used.
The right to object applies when personal data is processed in order to carry out a task in the public interest, as part of the exercise of official authority or after a weighing of interests has been made.
If the individual objects to the processing in such cases, the data controller may continue to process the data only if it can be demonstrated that there are compelling legitimate reasons for the data needing to be processed that override the individual's interests, rights and freedoms or if the processing is carried out for the establishment, exercise or defence of legal claims.
The individual always has the right to object to his or her personal data being used for direct marketing. Such objections can be made at any time. If an objection to direct marketing is made, the personal data may no longer be processed for such purposes.
Special rules apply in the case of personal data that is processed for scientific or historical research purposes or statistical purposes.
The data controller must inform the data subjects of their right to object.
Automated decision-making, including profiling
The individual has the right to not be the subject of a decision that is only based on some form of automated decision-making, including profiling, if the decision can have legal consequences for the individual or in a similar way affects him or her to a considerable degree.
Automated decision-making may for example consist of automated refusal of a credit application on the Internet or a rejection from e-recruitment via the Internet without any personal contact.
Automated decision-making may be permitted if it is necessary for the entering into or performance of a contract between the data subject and the controller or if the individual has given his or her explicit consent. It may also be permitted under special legislation.
The data controller must inform the data subjects that automated decision-making is used under the general obligation to provide information stated in the regulation.
Automated decisions can be made with or without profiling. Conversely, profiling can be used without this leading to an automated decision. Profiling means any form of automated processing of personal data where the data is used to assess certain personal qualities, in particular to analyse or predict the person's work performance, financial situation, health, personal preferences, interests, dependability, behaviour, place of residence or relocations.
Profiling constitutes personal data processing that must be carried out in accordance with all the provisions of the General Data Protection Regulation.
Anyone who suspects that someone is processing data relating to him or her in a way that contravenes the General Data Protection Regulation can lodge a complaint with Swedish Authority for Privacy Protection. Swedish Authority for Privacy Protection studies all complaints and assesses whether to proceed with the matter and then informs the person who made the complaint.
Anyone who has been harmed by his or her personal data being processed in contravention of the provisions of the General Data Protection Regulation may be entitled to damages from the controller or controllers involved in the processing.
A data processor may also be liable for damages if it has violated the provisions specifically directed at processors or has processed data in violation of the controller's instructions.
The individual can request damages from the data controller or the data processor or take legal action to claim damages in court.
Anyone who has suffered harm in principle has the right to be paid compensation for all the harm by either the data controller or the data processor. They can then settle the claim between themselves. However, a data controller or a processor is under no obligation to pay compensation if they can demonstrate that they are not in any way responsible for the harm.
About the information on this page
If the information in English is different from the Swedish version of this page, the Swedish version applies.