You are here

Home Sweden

Sweden

Country:
Sweden
Survey Category:
The Cyber Crime Regulations - Landscape of the world - Countries
Survey Question:
2.1 Please specify the obligations regarding IT – Security according to 2 above, e.g. Security standards, obligations in case of data breach, etc.)?
Survey Answer:

GDPR
General security obligations:
• The GDPR requires that personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
• Further, the regulation states that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, appropriate technical and organizational measures shall be implemented to ensure a level of security appropriate to the risk.
Obligations regarding privacy by design and privacy by default
• More specifically, the GDPR requires entities that process personal data to (i) put in place appropriate technical and organizational measures designed to implement the data protection principles and (ii) integrate such safeguards into the processing so that the GDPR's requirements are met and the individuals’ rights are protected (privacy by design).
• Further, measures must be implemented to ensure, by default, that only data that is necessary to achieve the specific purpose with the processing is processed (privacy by default). This obligation applies to the amount of personal data collected, the extent of the processing, the retention period and the accessibility to the personal data.
Obligations in case of personal data breach
• A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
• Such breach shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, be notified to the relevant supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
The Data Protection Act, the Crime Data Act and the Crime Data Regulation do not contain any deviations from the GDPR with regards to IT-security.

Provided By:
Johanna Linder, Sara Andersson, Elin Holm, Pierre Olsson, and Isak Åberg: Advokatfirman Cederquist KB