Search results

The Swedish Authority for Privacy Protection often receives questions and reports concerning areas outside the scope of our operations. Here is a summary of the most common areas with details of the appropriate authority to contact.

Anyone who processes personal data is either a data controller or a data processor. A data controller is any person or entity that determines the purposes and means of the processing. A data processor is any person or entity that processes personal data on behalf of a data controller.

In addition to the regulations concerning secrecy and duty of confidentiality in health and medical care that follow from the Public Access to Information and Secrecy Act (2009:400) and the Patient Sa

The primary purpose of the Credit Information Act is to protect data subjects' personal privacy but the law is also to contribute to efficient provision of credit information.

A licence from the Swedish Authority for Privacy Protection is normally required to operate credit reference activities. We decide on licences to operate credit reference activities only if the activities can be assumed to be carried on in a knowledgeable and judicious manner. Our evaluation is based on the type and scope of the planned activities.

All care providers are to follow up logs systematically, meaning that they are to log activities in the systems where the patient data is processed. The systems are to be designed to be able to check

The GDPR states that both the data controller and the data processor are obliged to maintain a record or a list of instances of personal data processing.

Our website is divided according to whether you are looking for information as an individual or as a representative of an organisation. Select one of the entries in the menu and you will see the information that applies to you.

The Swedish Authority for Privacy Protection is responsible for the processing of personal data for which the authority determines the purpose and means. The authority processes, for example, personal data in the handling of the authority's business, in the handling of questions and in the administration of courses and subscriptions.

Companies often have operations in several countries and personal data does not always stay in one country. An instance of personal data processing that has a connection to more than one member state of the EU is called cross-border processing.